Server-Side Phishing Attacks Target Employee and Member Portals to Steal Login Credentials

Attackers have been deploying server-side phishing schemes to compromise employee and member login portals across various enterprises.

This strategic shift to server-side operations is designed to evade detection and complicate analysis.

Evolving Phishing Techniques

Recent investigations have highlighted a marked evolution in the tactics employed by phishing campaigns.

Traditional methods relied on client-side redirects to validate stolen credentials, but the current setup leverages server-side checks to do so.

According to the Hunt, this change was noted when researchers, after identifying an initial attack vector through a Google Ads malvertising campaign targeting Lowe’s employees, expanded their search to uncover similar phishing operations.

Using sophisticated tools like HuntSQL, a targeted query within the crawler dataset helped pinpoint pages exhibiting the new server-side behavior.

A notable example includes the domain myinfoaramapay[.]com, which closely mimics Aramark’s legitimate employee access portal but with subtle alterations like the removal of the virtual assistant feature.

Technical Analysis

Further analysis revealed that once credentials are entered into these fraudulent sites, JavaScript codes capture the data and submit it to a PHP backend script, xxx.php.

Instead of immediate client-side validation, these scripts now trigger a new endpoint, check.php, to verify credentials server-side. This includes:

• Immediate redirection to a legitimate login page upon successful verification.
• An alert and page refresh if credentials are incorrect.
• Silent polling if the server does not respond.

This backend logic significantly reduces the visibility of the phishing flow, making it harder for defenders to detect and analyze the attack.

In examining the infrastructure, which is hosted by Chang Way Technologies Co. Limited in Russia, researchers identified multiple domains on IP 80.64.30[.]101, including those mimicking major corporations like AT&T and AFLAC.

An intriguing aspect is the use of a decoy website “Technology Pharmacy CVS” directly accessible via the IP, which could be an attempt to misdirect investigations or appear legitimate to service providers.

Defenders are urged to monitor for unusual POST requests to scripts like xxx.php and check.php, especially from domains resembling enterprise login pages.

Also, observing for traffic with specific parameters that might indicate secondary authentication attempts or server-side credential validation could provide early detection of such phishing attempts.

This ongoing campaign underscores the need for vigilance and updated security measures, particularly in environments where two-factor authentication is in play yet still susceptible to these sophisticated phishing techniques.

Indicators of Compromise (IOCs)

IP Address	Domain	Hosting	Location
80.64.30.100	ipafranchest.com	Cloudflare	Russia, US
80.64.30.101	lawpaymentpw.live	Chang Way Technologies Co. Limited	Russia, US
104.21.32.181	(Refer to full report)	Cloudflare	Russia, US
172.67.153.52	(Refer to full report)	Chang Way Technologies Co. Limited	Russia, US
104.21.20.29	(Refer to full report)	Cloudflare	Russia, US
172.67.191.1	(Refer to full report)	Chang Way Technologies Co. Limited	Russia, US

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!