• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

New Phishing Attacks Stealing MFA Tokens Too

June 6, 2019 By Trevor Collins

In the Firebox Feed, our threat intelligence feed powered by WatchGuard Firebox customers around the world, we recently came across a trending phishing campaign that uses a malicious PDF as part of its attack. Targeting mostly German users, the PDF comes attached to an email with a subject line that translates from German to “Invoice for your sales tax.” Included in the email were instructions to add a certificate to the user’s trusted certificate store. While we didn’t have to add any certificates for the malware to successfully infect our sandbox, as a rule one should never add a certificate to their computer unless they can verify its validity.

We opened the PDF with Chrome and this was our experience:

The email gave us an error message in German that told us we must open the PDF with Acrobat Reader. This should be a red flag for anyone because Acrobat Reader can do more potentially malicious actions with a PDF than Chrome on its own, like execute JavaScript.  To see what damage the file could do, we ignored the red flags and opened the file with Acrobat Reader.  The PDF opened an input from using Javascript that prompted us for our Amazon username and password, which we filled in with bogus information.

The PDF then displayed a security warning from Adobe. In the warning, after looking carefully, we could see the username and password in the URL, another red flag. As you can see in the warning below,  the domain sellercentral[dot]amazon[dot]de[dot]A5793ERYGH40WW09[dot]oms3[dot]biz isn’t actually an Amazon domain but instead is a subdomain of oms3[dot]biz. Using subdomains to masquerade as a legitimate company is a common tactic in phishing attacks.

We clicked through the warning to continue our investigation. By clicking “Allow,” the PDF sent the email and password we entered to the attacker’s web server in a web request. The web request took us to what looked like an Amazon page, but hosted on OMS3[dot]biz. We have seen this type of attack before, but this specific one gets interesting. The page displayed a second form,  asking us for our 2FA code from our phone. After we input our 2FA code we were sent to sellercentral.amazon.de the correct Amazon domain. In the meantime, the attacker in control of the phishing site would now have access to our Amazon account (if we used our real login credentials). Not only did we just give our username and password to them, but we suspect the server behind this phishing site has sent the username and password to Amazon to start the login process automatically.

This whole prosses runs in JavaScript while using the phishing sites mentioned. We performed a packet capture during this test and we can clearly see the username, password, and 2FA in clear text being sent to the phishing site.

This code gets sent as a HTML form after submitting the last form.

submitted=true&tel=2ndFactorCode&mfaSubmit=Submit

This malware showed an evolution in typical phishing attacks, using advance techniques to gather 2FA tokens in order to access the victim’s Amazon account. We suspect the attacker automated the backend to siphon money from the victim’s account for themselves. With 2FA becoming more widely adopted for logins, phishing attempts are getting more sophisticated when attempting to access your data. 2FA makes logins much more secure but no amount of security makes users completely safe. But if users know what to look for and don’t bypass warnings then we can get closer to being completely secured.

Share This:

Related

Filed Under: Editorial Articles, Research Tagged With: Adobe, Phishing

Comments

  1. Rob says

    June 6, 2019 at 3:22 am

    You have a live link to a website known to be utilised in this campaign. Please defang.

    Reply
    • Corey Nachreiner says

      June 25, 2019 at 8:37 am

      I have defanged the one I believe you are talking about.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use