Thursday, October 10, 2024
HomeCyber Security NewsSign in to Leak Your Credentials - Attackers Abusing Legitimate Services

Sign in to Leak Your Credentials – Attackers Abusing Legitimate Services

Published on

An ongoing phishing campaign has found that attackers abuse legitimate credential harvesting services and data exfiltration to avoid detection.

With 59% of assaults recorded, credential harvesting has consistently been the most common attack vector.

It contributes significantly to business email compromise (BEC), which accounts for 15% of all assaults.

- Advertisement - EHA

HTML files are among the most popular attack vectors attackers use for phishing and other frauds.

More than 50% of malicious attachments are HTML files, according to Check Point’s telemetry.

Many such files pose as login pages for well-known services and companies, including Microsoft, Webmail, etc., to trick the user.

Process Of Harvesting Credentials

It has been noted that continuing efforts involving tens of thousands of emails use reputable services like EmailJS, Formbold, Formspree, and Formspark to collect these stolen credentials.

Many developers use these online form builders to design unique forms for their websites or web applications.

To help to gather user data systematically, they could include a variety of form field kinds, including text input fields, radio buttons, checkboxes, dropdown menus, and more.

After a user submits the form, the service will perform data processing and gather these compromised credentials.

Credential Harvesting Process

A type of hack known as “credential harvesting” allows criminals to get sensitive information such as usernames and passwords to gain initial company access or sell it online. 

Dark web forum selling stolen credentials

According to the report shared with Cyber Security News, attackers increasingly use legitimate services, making it more difficult to fight against and may result in credential theft.

“This new method of using a legitimate form service’s API, which many developers also use, makes malicious HTML files harder to block,” researchers explain.

“By using this API, the credentials can be sent to wherever the attacker chooses. It could even be in his mailbox”.

Phishing page using EmailJS

One of the ongoing campaigns that the Check Point Research team found begins with a phishing email that makes the recipient feel pressured to open the attachment.

The campaign used many versions of the email and several HTML templates.

The victim’s email address is already filled out in the form by the campaign author since it is hardcoded in the HTML file, giving the sign-in page a more trustworthy appearance. 

The attacker receives the victim’s login and password as soon as the victim submits his credentials and tries to log in since they are sent directly to his email inbox.

To effectively defend against phishing attempts, an organization must implement security awareness training, email filtering, scanning for malicious attachments, checking for spelling and grammar, and anti-phishing solutions.

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...