A highly automated credential harvesting campaign is “spreading indiscriminately” across the UK, the National Cyber Security Centre (NCSC) warned today, saying phishing attacks are spiking.
The attacks, despite being heavily automated, are not typical clumsy spray-and-pray attempts, but more sophisticated and are hitting “a very broad range of UK sectors”, the NCSC warned businesses.
Credential Harvesting Campaign: How it Works
The hackers are using previously compromised accounts to lend legitimacy to the phishing emails, the NCSC warned today: “Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email.”
Upon receiving an email unsuspecting users are requested to click on a hyperlink in order to view a notification they have received. The hyperlink leads to a spoofed login webpage that mimics the targeted organisation’s own login in portal, complete with the firm’s logos and email address.
The NCSC is warning that once the threat actors have stolen a user’s credentials the: “Actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.”
The URL’s and domains created by the hackers seem to follow a word pattern which may make them easier to detect. NCSC has released the following regular expression (RegEx) pattern that IT teams can use to check emails: [?][0-9a-zA-Z\-\’\.]{1,30}[=][0-9a-zA-Z\-\’\.]{1,30}[_-][0-9a-f]{32}\b
They have also released a list of domains associated with the attackers and this campaign which can also be used in IT security checks.
Content from our partners
These are available on the NCSC site here.
Credential Harvesting Gets Password Spraying Help
The NCSC notes that for this type of legitimised phishing campaign to take place an initial compromise must have occurred that needed no employee engagement with the hackers. As such they believe that the hackers are using password spraying to gain access to networks.
Password spraying is when a hacker uses a list of common passwords to brute-force their way past a login page, as a large number of employees still use common and easy to remember credentials.
The UK’s cyber watchdog has warned about the dangerous of password spraying before, noting that in its studies 75 percent of participant organisations had accounts that used the same passwords which were listed in a top 1,000 passwords list.
To mitigate password spraying it is advised that firms configure protective monitoring to watch reachable endpoints in their systems. Users can setup multi-factor authentication and importantly should not reuse passwords for work that their use on personal accounts.
