A bizarre phishing campaign is afoot, using a tool called as a phishing kit to steal passwords. What’s so strange about this phishing campaign is it uses bits and pieces of code from malicious code written by other hackers. The kit, called as the TodayZoo Phishing Kit, has recently come to Microsoft’s attention.
Explaining the TodayZoo phishing kit
So, what is a phishing kit? It is a set of software or services which act together to enable hackers to launch phishing attacks. TodayZoo has been branded so by Microsoft because they came across such a piece of text in the phishing kit. The phishing campaign being launched through TodayZoo is also being termed as “Franken-phish”. If you’re familiar with the story of Frankenstein, you’ll know that the scientist who created Frankenstein did so using several different parts. Similarly, the TodayZoo campaign is also composed of multiple elements, some freely available from scam sellers, some customized by kit sellers.
How the phishing campaign is being executed
TodayZoo is using a WorkMail domain, “AwsApps[.]” to generate phishing links by the bulk, which lead to trap pages which look exactly like the Microsoft 365 login page.
According to Microsoft, the hackers using TodayZoo are not too keen on the details. Instead of spamming the WorkMail accounts with legitimate-sounding, authentic-looking domains, they are just using random domain names. Apparently, the hackers have a small purse.
But if you know another thing about Frankenstein, you’ll realize that he was quite simply a monster. Such is the scale of this phishing campaign.
So, how did Microsoft get involved? The hackers happened to impersonate Microsoft domains as well! They were using a trick called zero point obfuscation, which is a mechanism hackers sneak in text in the body of an email by setting its font-size to 0pts. Fortunately, Microsoft was monitoring for such zero-font attacks and saw a major uptick, thus getting alerted to an ongoing scam.
TodayZoo phishing campaigns in April and May 2021 largely impersonated Microsoft 365 login pages along with a password-reset link. Later, in August, they turned to more primal ways of password thievery like Xerox-branded fax notifications (you get an alert that a fax is arriving and you need to enter your credentials to access it).
Additionally, Microsoft nosed around and found out that a majority of the scam landing pages were hosted on cloud provider DigitalOcean.
Curiously enough, TodayZoo is not storing the stolen credentials on another location, or forwarding them to the hackers’ email addresses. In fact, they’re storing them on the site space itself. This characteristic is unique to TodayZoo phishing kit, as was discovered when researchers came to know it was active before for phishing credentials from Zoom meetings.
“While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own,” Microsoft said.
To stop the spread, Microsoft also warned other giants like AWS.
More IT and security resources and updates.