Root Causes 213: 600-domain Phishing Attack

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to discuss a recent news item that caught your attention. You sent it to me, and it caught my attention. This is a Bleeping Computer article, we're looking at from March 15, 2022, written by Ionut Ilascu. The headline goes Massive Phishing Campaign Uses 500+ Domains to Steal Credentials. So, the headline says a lot. But what's going on here, Jay?

• 

  Jason Soroko

  This is pretty interesting. It's happening mostly in South Korea, which is part of the story. All of us have probably been, even if we don't use it directly, a lot of us have been exposed to it or we know about it. You know that in North America, Google offers a lot of integrated services - email, document storage, various kinds of MS Office-like applications and there's just a whole lot of stuff you can do on that platform and the company out of South Korea, Naver. They're actually offering quite a few similar services. But I can imagine. They're specialized in South Korean language, and probably cater to the folks over there and what their needs are. But this is email news, knowledge-based Q&A platforms, all kinds of interesting stuff. So, you can imagine that a lot of people in South Korea are using this, and they were targeted, basically, as a phishing campaign, but not just any old phishing campaign, a really huge phishing campaign that used - what was the number, Tim?

• 

  Tim Callan

  I think it was 542 unique domains that were identified that were part of this campaign, this network.

• 

  Jason Soroko

  That's the reason why we are actually looking at this on this podcast is because we quite often talk about phishing, we quite often talk about web servers and domains and I still think to this day, a lot of people think of phishing attacks as being based on a singular domain. Bad guy gets a hold of a domain and uses it and etc. 500+ domains. In fact, if you look down into the article a little further, apparently, even after that number you quoted, Tim, there's another 58 that they found from a different IP address.

• 

  Tim Callan

  Make it a neat 600 - a nice, even clean 600. This suggests a lot of other things. It suggests a certain scale of operation, which also suggests that a certain, a certain scale of what do we want to say, a reward at the end of the day. There's got to be a certain amount of money that you're going to make, or it's not worth your while to do something at that scope. It also suggests that there's probably a very important significant automation component to all of this because how else are you going to manage and handle all of those different domains and make sure everything is working correctly?

• 

  Jason Soroko

  In other words, this is the work of some people who were able to code some serious automation into the way that they're doing their phishing. And, the harvesting of credentials. I can imagine that there might be some money involved in this. But for me, if you think about alright, what happens if you lost your Google credentials, and then you lost access to email, your documents, etc? There's obviously, obviously a lot of very valuable information and data that's floating around within those accounts.

• 

  Tim Callan

  The espionage aspect of it could be one thing. Where if you get the right account, you could be getting corporate secrets and things along those lines, PII, stuff like that. There's also possibly a ransom aspec. I own your account, your whole life is in there, send me 50 bucks and I'll give it back to you.

• 

  Jason Soroko

  That I think is a big, big part of it is the ransomware aspect. Absolutely. TrickBot was quoted in the article and, goodness only knows what else this has turned into. But with those credentials, you can absolutely imagine those credentials being used for the purposes of encrypting all your data and shutting it down and if you want to get access again, you pay a whatever Bitcoin and your get your account back. The standard ransomware story. But I'm also worried about the actual data itself, because a lot of times ransomware is used as a ruse for actual stealing of data. When you see somebody who is this well-organized, and in fact, some of the article goes on to talk about how they were saying that the attackers had not only automated the creation of all these different domains to be able to do the phishing from, but the nature of the code was such that it looked like they could run discrete modules. In other words, there could be discrete attacks from discrete sets of phishing sites for specific purposes.

• 

  Tim Callan

  Sure. So, you could imagine different targets. Or different successful compromises being exploited in different ways. This is a high value target, and I've got something I'm going to do where I try to steal that information to use. This is a low value target, I'm going to just throw them in a bucket and make me a little bit of money. Or I'm gonna kind of use this to build some kind of social engineering attack. That it's gonna be whichever of those it turns out to be.

• 

  Jason Soroko

  The final sentence of the article, of course, talks about Prevalion, the people who had, I guess, published the initial report about this attack. One of the things that it said here is that the criminals involved are relying on Infrastructure as a Service, IaaS, to be able to automate this offering. So, in other words, they didn't mention which public cloud but it's probably one of the big public clouds that they're running their stuff on. This, Tim, this is really just the type of podcast to show people things are getting scarier. Things are getting worse. The bad guys are using the same tools the enterprises are to scale bigger.

• 

  Tim Callan

  Everybody is getting modern. It's not only you. It's the person who is trying to hurt you as well.

• 

  Jason Soroko

  Digital transformation of the bad guys there, guys. The ability for bad guys to now have any number of phishing sites they like. Presumably. Also, and when I took a look at some of the names that were used in the phishing sites, they weren't just gobbledygook. They were like, sites that you might click on. Presumably, in South Korea, I don't think it's any different. These are these are going to be names that you might just click on because they look fairly reasonable. And if you get a link in an email, however it is that you're being socially engineered, goodness, the bad guys are just, they're just getting so good at this, that it's starting to look like a modern enterprise, Tim, and that's, that's part of the message we wanted to talk about here today.

• 

  Tim Callan

  Definitely. So unfortunate, but at least let's be aware of it.