Group IB has launched a complex new phishing campaign called PerSwaysion against the executives of more than 150 companies worldwide.
IB Group, a Singapore based cybersecurity company, has identified a series of sophisticated and successful phishing attacks on executives and managers from more than 150 companies worldwide. The campaign, called Sway PerSwaysion because of the widespread abuse by Microsoft, has been running since mid-2009 and is attributed to Vietnamese developers and Nigerian operators. The cybercriminals behind the PerSwaysion campaign had access to numerous confidential emails from MS Office365, mainly from financial companies, law firms and real estate groups.
The PerSwaysion campaign is growing at an alarming rate, using compromised email account data to select other targets that play an important role in their business and share business relationships with victims. IB Group will continue to cooperate with the parties concerned in the local countries in order to inform the companies concerned of the infringements.
No brute force, just PerSwaysion.
PerSwaysion is a highly targeted phishing campaign. One of the characteristics of PerSwaysion is that it spreads like a forest fire and jumps from one victim to another while there is no malware on the user’s device during the attack. A new round of phishing attempts using the victim’s current account usually takes less than 24 hours.
The campaign resulted in a compromise by 156 leaders from global and regional financial centres such as the United States, Canada, Germany, the United Kingdom, the Netherlands, Hong Kong, Singapore and others.
The PerSwaysion campaign is mainly aimed at financial companies (~50%), law firms and real estate companies in order to further approach their clients and business contacts. The IB Group has created a website where everyone can check if his or her e-mail has been compromised by PerSwaysion.
The IBDFIR team was tasked to investigate the incident at an Asian company where it was discovered that PerSwaysion is a complex three-phase phishing operation using special tactics and methods to prevent detection. Threats use established social engineering techniques to convince key people in companies to open malicious PDF email attachments from the authentic addresses of their contacts.
The PDF attachment is a well-written Office 365 file exchange message that simulates a legitimate format. After clicking the Read Now button, the victim, who in most cases is a high-ranking civil servant, is removed from a file that in this case is placed on MS Sway. Attackers opt for legitimate cloud-based content sharing services such as Microsoft Sway, Microsoft SharePoint and OneNote to prevent traffic detection. This page is similar to the original Microsoft Office 365 file exchange page. However, this is a specially made presentation page that takes advantage of the standard unlimited swing view.
From this page, the target is redirected to the final destination, a real hidden phishing site like the 2017 version of Microsoft’s Single Sign-On site. Here the victim is given a unique serial number using a phishing set, which serves as a rudimentary fingerprint method. Repeated requests for the same URL will be rejected. It ends all automatic threat detection efforts on URLs visited by targets. When a senior employee sends the Office 365 references to the company, this information is sent to a separate data server with an additional email address hidden on the page. This additional email is used as a real-time notification method to ensure that attackers respond to newly acquired credentials.
We leave in 24 hours.
Threats from PerSwaysion are quickly followed by newly collected references from senior officials. The researchers of the IB group discovered that cybercriminals are taking three important steps to promote a new round of phishing attempts against users with whom victims have recently corresponded, which on average take less than 24 hours. Once the data has been sent to your NCC, PerSwaysion staff logs into the compromised email accounts. They download email data via APIs and establish high-level business relationships with the owners. Finally, they create new phishing PDF files with the full name of the current victim, the email address and the legal name of the company. These PDF files are sent to new people who are usually outside the victim’s organization and who hold important positions. PerSwaysion operators generally remove messages claiming to be email addresses from outgoing mail to avoid suspicion. A detailed technical analysis of the PerSwaysion operations and attack models is available on the IB group blog.
PerSwaysion’s threat players do not yet have a clear preference for financial profit models, said Feysyan He, senior analyst at the IB Group Threat Intelligence division. Attackers have hidden access to many corporate email accounts and a large pile of sensitive email data from older business people. This opens up great possibilities. Access to the account can be sold in large quantities to other cybercriminals to perpetrate traditional financial scams. Sensitive business information from email, such as non-public financial documents, covert business strategies and customer lists, can be sold to the highest bidder in underground markets.
Who are the PerSweiders?
The PerSwaysion campaign is a series of malicious malware-based operations. An analysis of the anti-phishing campaign kit showed that it was mainly developed by Vietnamese actors who are highly specialised in the threat. The user input validation module (VeeValidate) used in the code contains only the Vietnamese language, while 48 languages are supported. Further research has shown that development groups do not conduct phishing campaigns themselves. Instead, the developers probably sold their phishing set and PDF generator to various cybercriminals for direct profit.
The Threat Intelligence Team found several loosely connected subgroups of threat actors who carry out phishing attacks themselves. They monitor a total of 27 email addresses used to collect and report stolen email accounts. These messages are integrated in PerSwaysion phishing kits. Some of these letters have been used to register LinkedIn accounts to collect profiles of potential victims. This data helps PerSwaysion’s attackers to select people who hold key positions in the company.
Other research suggests that one of the first PerSweysion reaction teams was a group of threat actors active in Nigeria and South Africa. The group will be led by a Nigerian named Sam. Since 2017, this group has been engaged in various activities, ranging from online shopping fraud to phishing attacks. The large differences in geolocation and culture between the developers of phishing kits and the campaigners indicate a greater specialization of cyber criminals.
According to Fakesang He, the PerSwaysion campaign is a living example of how highly specialized phishing experts work together to effectively attack high-ranking government officials on a large scale. They use a variety of tactics and methods to avoid traffic detection and automatic threat detection, such as file sharing and web hosting services from well-known providers. The campaign uses non-trivial counterintelligence techniques, such as randomizing the victims’ malicious JS filenames and fingerprint browsers and denying them a new visit. These actions by cybercriminals trying to access confidential business information require an unusual approach to identifying and responding to them.
Cloud-based business services, such as MS Sway, pose new challenges to traditional cyber threat management systems. A good cloud migration plan should take into account changes in early warning, the detection of deviations and the response to incidents. When implementing cloud-based business services, it is important to implement 2FA authentication to reduce the risk of identity theft. In addition, when planning the cloud service architecture, system administrators need to evaluate the different log management options of service providers and integrate the transaction log data into the existing risk discovery workflows.
The original article is available:
https://www.group-ib.com/blog/perswaysion
About the IB Group
IB Group is a Singapore based provider of solutions for the detection and prevention of cyber attacks, online fraud, IP address protection and high-level cyber research.
Vote for the European Blogger Award for Cyber Security – Vote for YOUR PERSPECTIVE
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform
Pierluigi Paganini
(Security issues – Facebook, hacking)
Part