Akamai cybersecurity researchers have discovered a new element phishing Campaign targeting US consumers with fake holiday offers. The aim of the campaign is sensitive theft identification Credentials such as credit card information, and their money in the end.
Threat actors create landing pages impersonating some of the largest brands in the United States, including Dick’s, Tumi, Delta Airlines, Sam’s Club, Costco, and others.
The landing page, often hosted on reputable cloud services such as Google, or Azure, directs users to complete a short survey, after which they will be promised a prize. The survey will also be timed to five minutes, using urgency to draw people’s attention away from potential red flags.
Unique phishing URLs
After completing the survey, the victims will be declared “winners”. The only thing they have to do now, in order to claim their prize, is pay for shipping. This is where they provide their sensitive payment information, for later use by attackers in various ways.
However, what makes this campaign unique is its token-based system that allows it to fly under the radar and not be picked up by cyber security solutions.
As the researchers explain, the system helps redirect each victim to a unique URL of the phishing page. URLs vary based on the victim’s location, as scammers look to impersonate locally available brands.
Explaining how the system works, the researchers said each phishing email contains a link to the landing page, which comes with an anchor (#). This is usually how visitors navigate to certain parts of the landing page. In this scenario, the tag is a token, which JavaSCript uses on the landing page, which rebuilds the URL.
“The values after the HTML anchor will not be considered as HTTP parameters and will not be sent to the server, however this value can be accessed by JavaScript code running on the victim’s browser,” the researchers said. “In the context of phishing scams, the value placed after the HTML anchor may be ignored or overlooked when examined by security products that check whether it is malicious.”
This value will also be lost if it was returned by the traffic inspector.
Cyber security solutions overlook this token, which helps threat actors stay out of sight. On the other hand, searchers, analysts, and other unwanted visitors are kept away, because without the appropriate code, the site will not load.
Across: Computer (Opens in a new tab)