New tricks on phishing websites

Many phishing attacks try to lure users to fake websites in order to get them to enter confidential information. The correct URL of the desired website and a valid security certificate provide assistance against these phishing-attempts–and have therefore become the focus of the attackers. Different, but similar approaches have emerged to trick even attentive users.

Trick #1: Fake login websites on Microsoft Azure Static Web Apps

You quickly need a ready-made website that is already hosted for you in the cloud complete with Microsoft domain and Microsoft security certificate? You will find it at MS Azure. Unfortunately, criminals have also discovered the service for static web apps for themselves. The imitated login pages there are difficult to recognise as fake, especially for some widespread Microsoft services. The Microsoft subdomain azurestaticapps.net and the valid TLS certificate can also be deceptive. [1]

Trick #2: Browser in the Browser attack

You want to use a well-known service on the web where a pop-up appears asking you to enter your account data again? Especially with well-known authentication services such as Facebook, Google, Apple or Microsoft, which most users trust, this dialogue is often not questioned and the desired data is entered. However, this “browser in the browser” (BitB) attack does not call the real authentication service, but only simulates a deceptively real-looking login window with the help of various HTML, Java and CSS routines–and finally forwards the entered data to third parties. [2]

What countermeasures can help?

Unfortunately, both tricks have one thing in common: At first glance, the attacks are almost undetectable, even for experienced users. The security certificates of the websites are correct and valid and the URLs can be legitimate in the right context.

However, 2-factor or multifactor authentication remains effective. With the latter, security is further enhanced by the additional possession of security hardware, e.g. a smart card or FIDO security key, as the attacker cannot gain access without possession of this additional token. [3]

The only constant remains change: cyber threats are constantly evolving in different and sometimes unexpected directions. Therefore, you should always check whether the precautions and level of knowledge in your company still correspond to the current state of the art and the possible threats and adjust your strategy at regular intervals.

Read more:

Tricked: Phishing campaigns with hidden fonts and zero text
Targeted attack instead of mass processing: Are you a potential spear phishing victim?

Sources: