StrongestLayer Threat Intelligence had been encountering phishing traffic that was taking advantage of a mass mailing website called ‘exactag.com,’ where attackers continuously created new subdomains for nefarious purposes. Since we encountered this multiple times, we marked the site as malicious for StrongestLayer customers. However, a very interesting trend surfaced this past week.
Our zero-day threat analysis engine saw a known phishing domain in the URI, paired up with m.exactag.com serving as the main domain where the attacker had taken advantage of a potentially dangling DNS record on exactag.com, seized control of one of their subdomains and planted ai.aspx redirection script, but there was something else that was interesting this time. A very well renowned news website called India Times.
This time, the attacker managed to successfully host a malicious PHP redirection page on the direct home path of the India Times website, and redirected it to their final pre-detonation redirector page, camenergyllc.nyc. From here, a redirect took the flow to the actual phishing page, which was a very precise replica of the Microsoft login page.
Upon examining the source code of the phishing page, it was filled with AI-generated non-functional code meant to obfuscate the actual functional code. Some segments in the deobfuscated code also appeared to have been written using generative AI.
We further investigated our historical data for similarities and found out that the ‘India Times’ website has been compromised for well over a month now, delivering free redirects to various phishing campaigns via the same etl.php script.
Here is the complete incident along with all the redirection points.
- https://m[.]exactag[.]com/ai[.]aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=https://hr.economictimes.indiatimes.com/etl.php?url=//camenergyllc[.]nyc/nsbd/lcv/vbWSOimLtTe6IJj/a2h1cnJhbS53YXJhaWNoQHRlbGVub3JiYW5rLnBr
- https://hr[.]economictimes[.]indiatimes[.]com/etl[.]php?url=//camenergyllc[.]nyc/nsbd/lcv/vbWSOimLtTe6IJj/a2h1cnJhbS53YXJhaWNoQHRlbGVub3JiYW5rLnBr
- https://camenergyllc[.]nyc/nsbd/lcv/vbWSOimLtTe6IJj/xxxxxxxhbS53YXJhaWNoQHRlbGVub3JiYW5rLnBr?utm_source=promotions&utm_medium=email&utm_campaign=
- https://theduck[.]hostcabofrio[.]com[.]br/[.]well-known/vwq[.]html#4xxxxxxx.xxxxxxx@xxxxxxxxxxx[.]xx
We started investigating the last two links in this incident. When we tried accessing link 3 after some time, there was a banner notice saying that the website was under load and that we should try again later. However, this should be taken with a grain of salt, as these kinds of limits are often put in place by attackers to reduce the risk of being discovered after their target has been served the content. These notices are intended to hide the content of that particular path on the website from analysts once the domain has served a phishing campaign for enough time. At this point, it is supposed to go into hibernation or a cloaked state for infrastructure preservation purposes since registering and setting up websites costs money, and attackers want to keep their domains undetected for as long as possible.
We see these tactics being used in phishing attacks on a regular basis. Another interesting aspect to note here is that the main domain of the website is not pointing to any content source and we are simply served with a notice from the hosting provider, which is typical for phishing sites that are redirecting to landing pages.
When we accessed the subdomain that was hosting the phishing page, we found a menu of one of the popular pubs in Brazil i.e., TheDuckPub.
As we came to the hostcabofrio.com.br, it immediately gave a familiar suspicious page where contents have been removed from the web server’s root path in order to hide itself from the public. This is a typical tactic heavily used by attackers.
The WhoIS of the main phishing detonation domain reveals that this belongs to someone in Brazil and has been active since 2016.
There are multiple things to learn and takeaways from this scenario, not only for employees but also for cyber security professionals:
- Simply because the main domain name of a URL is a known and reputable brand, it does not mean that the redirected website is safe.
- Just because you are being shown an error notice, doesn’t mean that the intent behind that error notice is genuine as we witnessed here. Many times the phishing sites use such cloaking techniques to masquerade as being unavailable or benign in order to avoid being blocked by detection engines and threat analysts.
- Do not be fooled by known, familiar brands on a website. Without market leading detection tools at their disposal, employees are tasked with investigating whether this is the real deal or not before clicking anything.
- Lastly, all of the hyperlink urls on the spoofed ‘Microsoft’ phishing login page are pointing to a domain that is different from login.live.com. Without detection tools designed to boost Human Layer security (like StrongestLayer), vigilance and caution are the only two things that can save you from falling victim in these scenarios.
Safwan Khan
Head of StrongestLayer Threat Intelligence