Fancy Bear Cyberspies Hide Phishing Pages Behind Blogspot Links

Security researchers have identified a new phishing campaign launched by Russian cyberespionage group Fancy Bear that uses rogue URLs to bypass spam filters.

These latest attacks were aimed at Bellingcat, a group of volunteers who perform open-source and social media investigations on a variety of topics. Bellingcat was also targeted by Fancy Bear in 2015 after the outfit linked the Russian military to the shooting down of Malaysia Airlines Flight 17 over Ukraine in 2014.

Bellingcat shared a new wave of phishing emails with researchers from ThreatConnect, who established a link between the attacks and domain names and infrastructure used in the past by Fancy Bear.

Also known in the security industry as APT28, Pawn Storm or Sofancy, Fancy Bear is a sophisticated cyberespionage group that has targeted a wide variety of organizations over the years, including the Democratic National Committee (DNC) during the U.S. elections.

The phishing emails analyzed by ThreatConnect masqueraded as notifications from Gmail and Dropbox that instructed users to change their account passwords or edit a shared file. The links included in the emails actually pointed to blog sites created on Google’s Blogger platform—

Those websites contained a piece of JavaScript code that automatically redirected visitors to fake Google login pages hosted on phishing domain names that include in their URLs.

“The use of Blogspot URLs has similarities with the notional tactics identified in a September Salon article on Fancy Bear leveraging Google’s Accelerated Mobile Pages (AMP) to create URLs for their credential harvesting pages,” the ThreatConnect researchers said in a blog post. “Doing so likely allowed some Fancy Bear spear-phishing messages to avoid security filters that would have otherwise identified the malicious URLs. In this same way, a URL hosted on Google’s own systems, in this case Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname.”

Fancy Bear is known for its constant use of sophisticated and novel techniques, including zero-day exploits. The group has its own malware implant with versions for Windows, Linux, macOS and Android, and its targeting largely reflects Russia’s geopolitical interests. Many security experts believe that the group is at least coordinated by—if not part of—the Russian Military Intelligence Service (GRU).

Between March 2015 and May 2016, Fancy Bear targeted hundreds of email addresses belonging to U.S. citizens, including top officials former Secretary of State John Kerry, former Secretary of State Colin Powell, former NATO Supreme Commander and U.S. Air Force Gen. Philip Breedlove and U.S. Army Gen. Wesley Clark, the Associated Press reported Nov. 2 after analyzing a hit list obtained from one of the group’s servers by security firm SecureWorks.

The targets also included employees at defense contractors Boeing, Raytheon and Lockheed Martin and at least 130 people associated with the Democratic Party—supporters, party workers and campaign staffers. Some Republican Party targets were also identified.

Also on Nov. 2, the Wall Street Journal reported that the U.S. government has identified more than six Russian government officials that are believed to have been involved in the hack against the DNC and the subsequent leak of emails from the organization. U.S. prosecutors and law enforcement agents have gathered sufficient evidence to charge the Russian officials and are considering bringing a case next year, the newspaper reported.

Banking Trojan Pushers Revive Old Technique: Black Hat SEO

Security researchers from Cisco Systems’ Talos group have identified a campaign that distributes the Zeus Panda banking trojan by manipulating Google Search results through compromised websites.

The group has managed to leverage the search ranking of the hijacked websites to inject malicious pages into the first page of the Google search results for particular keyword combinations. This technique is known as black hat search engine optimization (BHSEO).

“The attacker targeted numerous keyword groups, with most being tailored towards banking or financial-related information that potential victims might search for,” the Cisco Talos researchers said in a blog post. “Additionally, certain geographic regions appear to be directly targeted, with many of the keyword groups being specific to financial institutions in India as well as the Middle East.”

BHSEO, or search result poisoning, is not a new technique and was popular with scareware pushers around seven years ago. Scareware was the precursor of ransomware and consisted of malware that posed as antivirus or security products in an attempt to scare users into paying a fee to clean their computers. It seems that the hackers behind this new Zeus Panda campaign are also engaged in similar scams.

“Ironically we have observed the same redirection system and associated infrastructure used to direct victims to tech support and fake AV scams that display images informing victims that their systems are infected with Zeus and instructing them to contact the listed telephone number,” the researchers said.

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Fancy Bear Cyberspies Hide Phishing Pages Behind Blogspot Links

Comments are closed.