New tricks on phishing websites

18. May, 2022

Many phishing attacks try to lure users to fake websites in order to get them to enter confidential information. The correct URL of the desired website and a valid security certificate provide assistance against these phishing-attempts–and have therefore become the focus of the attackers. Different, but similar approaches have emerged to trick even attentive users.

Trick #1: Fake login websites on Microsoft Azure Static Web Apps

You quickly need a ready-made website that is already hosted for you in the cloud complete with Microsoft domain and Microsoft security certificate? You will find it at MS Azure. Unfortunately, criminals have also discovered the service for static web apps for themselves. The imitated login pages there are difficult to recognise as fake, especially for some widespread Microsoft services. The Microsoft subdomain azurestaticapps.net and the valid TLS certificate can also be deceptive. [1]

Trick #2: Browser in the Browser attack

You want to use a well-known service on the web where a pop-up appears asking you to enter your account data again? Especially with well-known authentication services such as Facebook, Google, Apple or Microsoft, which most users trust, this dialogue is often not questioned and the desired data is entered. However, this “browser in the browser” (BitB) attack does not call the real authentication service, but only simulates a deceptively real-looking login window with the help of various HTML, Java and CSS routines–and finally forwards the entered data to third parties. [2]

What countermeasures can help?

Unfortunately, both tricks have one thing in common: At first glance, the attacks are almost undetectable, even for experienced users. The security certificates of the websites are correct and valid and the URLs can be legitimate in the right context.

However, 2-factor or multifactor authentication remains effective. With the latter, security is further enhanced by the additional possession of security hardware, e.g. a smart card or FIDO security key, as the attacker cannot gain access without possession of this additional token. [3]

The only constant remains change: cyber threats are constantly evolving in different and sometimes unexpected directions. Therefore, you should always check whether the precautions and level of knowledge in your company still correspond to the current state of the art and the possible threats and adjust your strategy at regular intervals.

Read more:

Tricked: Phishing campaigns with hidden fonts and zero text
Targeted attack instead of mass processing: Are you a potential spear phishing victim?

Sources:

secure online gaming
Security
Cyber Security Awareness
destroy

Wiper-Malware

deepfake

Deepfakes in Cyber attacks

Screen IKARUS mail.security light mode
Screenshot Nozomi Guardian: Threat Intelligence
IoT
smartphone malware
BlackCat Ransomware
IKARUS portal
Hacker

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download