BforeAI Identifies Phishing Campaign Using Same Infrastructure Across Multiple Domains
BforeAI today disclosed the discovery of a phishing campaign that is leveraging the same core infrastructure to spoof multiple domains.
The PreCrime Labs threat research team of BforeAI initially started tracking a phishing campaign aimed at end users accessing portals provided by insurance providers. However, the perpetrators of the phishing campaign switched their focus to the U.S. Department of Education’s G5 portal, which is used for managing grants and federal education funding. Multiple lookalike domains have been observed spoofing the G5 login page in an attempt to harvest login credentials.
Now that same infrastructure is being used to target end users accessing payment systems operated by the state of Texas.
The pages submit data via analytics.php and use an asynchronous updates.php loop to simulate login processing. The cybercriminals are also using browser-based cloaking and document object model (DOM) manipulation to confuse automated scanners.
Finally, each page attempts redirection to a /verify/ endpoint, which could lead to secondary phishing or multi-factor authentication (MFA) bypass.
The following domains have been observed hosting phishing kits or cloned login portals, including fake login forms and JavaScript-based credential exfiltration:
mynylifeinsuraces.com
mysoleverhrnix.com
myizolvedpeopls.com
myapdpetrol.com
g5parameters.com
g4parameters.com
Abu Qureshi, threat intelligence and mitigation lead for BforeAI, said the sites themselves are linked to Hello Internet Corp, a registrar for domains that is notorious for not responding quickly to alerts of abuse from cybersecurity professionals.
Additionally, all domains are fronted by Cloudflare content delivery network (CDN) for obfuscation and uptime resilience. While Cloudflare generally moves quickly to isolate these domains, it’s relatively trivial for cybercriminals to register another domain with Hello Internet Corp., noted Qureshi.
Hopefully, as it becomes easier to track the infrastructure being used to launch phishing campaigns, it will become simpler to block web domains being set up by cybercriminal syndicates. BforeAI, for example, has created a PreCrime service that automatically monitors and scores behavioral data to identify suspicious infrastructure. Absent any ability to mitigate these attacks, it is becoming easier to disrupt them by tracing them back to the infrastructure used to launch them, said Qureshi.
Hopefully, the amount of time between when phishing campaigns are detected and the ability to mitigate or disrupt them will continue to narrow. In the meantime, cybersecurity teams should keep a close eye on phishing campaigns that are spoofing the services their organization provides. Customers that are victimized by these attacks are looking for someone to blame, so in addition to the financial loss, there can be considerable reputational damage.
There is little to be done in terms of preventing cybercriminals from setting up fake domains to launch phishing attacks, but hopefully, as more awareness is generated, end users will be more careful. In the meantime, cybersecurity professionals should closely monitor how phishing campaigns are being launched as part of a large effort to ensure that customers don’t one day decide to no longer trust anything they see on the internet simply because the number of fake sites has begun to outnumber all the legitimate entities they might otherwise engage.
