It’s called a new fishing platform as a service (PhaaS or PaaS). greatness has been exploited by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar for phishing attacks.
“Greatness, for now, only focuses on Microsoft 365 phishing pages, providing its affiliates with a link and link builder that creates very convincing login and phishing pages,” said Tiago Pereira , Cisco Talos researcher.
“It contains features such as having the victim’s email address pre-populated and displaying the appropriate company logo and background image, taken from the target organization’s actual Microsoft 365 login page “.
Campaigns involving Greatness primarily have manufacturing, healthcare and technology entities located in the US, UK, Australia, South Africa and Canada, with increased activity seen in December 2022 and March 2023.
Phishing kits like Greatness offer threat actors, novice or otherwise, a cost-effective and scalable one-stop-shop, allowing them to design convincing login pages associated with various online services and bypass the protections of ‘two-factor authentication (2FA).
Specifically, authentic-looking pages act as a reverse proxy to collect time-based one-time passwords (TOTPs) and credentials entered by victims.
The credentials and tokens entered are then forwarded to the affiliate’s Telegram channel to gain unauthorized access to the accounts in question.
The AiTM phishing kit also includes an admin panel that allows the affiliate to configure the Telegram bot, track stolen information, and even create attachments or links with explosive traps.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
Also, each affiliate is expected to have a valid API key in order to load the phishing page. The API key also prevents unwanted IP addresses from viewing the phishing page and facilitates behind-the-scenes communication with the Microsoft 365 login page by impersonating the victim.
“Working together, the phishing kit and API perform a man-in-the-middle attack, requesting information from the victim that the API will then send to the legitimate login page in real time ” said Pereira.
“This allows the PaaS affiliate to steal usernames and passwords, along with authenticated session cookies if the victim uses MFA.”
The findings come as Microsoft has begun enforcing number matching in Microsoft Authenticator push notifications starting May 8, 2023, to improve 2FA protections and prevent speed bombing attacks.
Ikaroa, a full stack tech company, recently reported on the emergence of a new Phishing-as-a-Service platform that has made it easier for cybercriminals to generate convincing phishing pages. Phishing is a type of attack that utilizes emails or malicious websites to try and obtain access to a user’s sensitive information.
The new platform has been built in a way that its users need not possess any coding or design skills. Using the system, phishers can create pages that appear to be original websites and trick unsuspecting Internet users into providing personal information. The Phishing-as-a-Service platform also offers templates for crafting emails, which can look like they were sent from legitimate companies.
The ease of use and customization of the platform underscores the ever-rising concern regarding malicious phishing attacks. According to the 2020 Verizon Data Breach Investigations Report, phishing accounted for 32 percent of all data breaches. With the introduction of this new platform, the risk only increases.
Ikaroa encourages all users to engage in secure browsing and put appropriate security measures in place. Techniques such as regular software updates and patching, utilizing reliable antivirus software, and leveraging multi-factor authentication can help minimize the risk of phishing attacks. Additionally, users should be suspicious of emails with links that seem to come from unknown sources and have unusual file extensions.
End users, organizations, and businesses should work together to combat this growing threat. Phishers should be reported and their tools targeted in order to make the Internet a safer place for everyone.
As a full stack tech company, Ikaroa is committed to developing secure and reliable solutions for its customers. The safety of their data and systems is their top priority.