View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 21, 2019

Highly Automated Phishing Campaign “Spreading Indiscriminately” Across the UK

Attackers are using subtle techniques to trick targets

By CBR Staff Writer

A highly automated credential harvesting campaign is “spreading indiscriminately” across the UK, the National Cyber Security Centre (NCSC)  warned today, saying phishing attacks are spiking.

The attacks, despite being heavily automated, are not typical clumsy spray-and-pray attempts, but more sophisticated and are hitting “a very broad range of UK sectors”, the NCSC warned businesses.

Credential Harvesting Campaign: How it Works

The hackers are using previously compromised accounts to lend legitimacy to the phishing emails, the NCSC warned today: “Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email.”

Upon receiving an email unsuspecting users are requested to click on a hyperlink in order to view a notification they have received. The hyperlink leads to a spoofed login webpage that mimics the targeted organisation’s own login in portal, complete with the firm’s logos and email address.

The NCSC is warning that once the threat actors have stolen a user’s credentials the: “Actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.”

The URL’s and domains created by the hackers seem to follow a word pattern which may make them easier to detect. NCSC has released the following regular expression (RegEx) pattern that IT teams can use to check emails: [?][0-9a-zA-Z\-\’\.]{1,30}[=][0-9a-zA-Z\-\’\.]{1,30}[_-][0-9a-f]{32}\b

They have also released a list of domains associated with the attackers and this campaign which can also be used in IT security checks.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

These are available on the NCSC site here.

Credential Harvesting Gets Password Spraying Help

The NCSC notes that for this type of legitimised phishing campaign to take place an initial compromise must have occurred that needed no employee engagement with the hackers. As such they believe that the hackers are using password spraying to gain access to networks.

Password spraying is when a hacker uses a list of common passwords to brute-force their way past a login page, as a large number of employees still use common and easy to remember credentials.

The UK’s cyber watchdog has warned about the dangerous of password spraying before, noting that in its studies 75 percent of participant organisations had accounts that used the same passwords which were listed in a top 1,000 passwords list.

To mitigate password spraying it is advised that firms configure protective monitoring to watch reachable endpoints in their systems. Users can setup multi-factor authentication and importantly should not reuse passwords for work that their use on personal accounts.

See Also: The Future of AI & Cybersecurity

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.