It’s no surprise that phishing continues to be the main access vector when targeting everything from small to large businesses. Our team has continued the research that Microsoft has published in order to further highlight some of the behavior we’ve been observing in our customer environments. The purpose of this work is to share the results of what IronNet has seen, and to allow others to build off this research. We’ve divided our research into three groups:
Table of Contents
1. CRMs allow open redirects
We began our research by using the regex provided within the Microsoft blog post for hunting retroactively for the DGA-like domains. What we confirmed was that there were some CRMs from household name companies that were allowing open redirections to the malicious phishing pages. Based on our retroactive hunts, the actors seemed to be targeting a specific CRM platform based off the URL structure for these requests.
The use of these CRMs seems to have started within the first quarter of 2021, and some are no longer active. Although we did find a handful of examples that led into the second quarter of 2021, we believe the discrepancy is based upon when the customer discovered this abuse and fixed their settings. When searching for any examples of current abuse (past two months), we did discover the use of other CRMs allowing open redirection. For the companies where we observed this behavior and it was still ongoing, we reached out to them to ask them to stop allowing this.
2. Websites redirecting to phishing reCAPTCHA
<random subdomain>.<compromised domain>/<base64 of user being phished>
<name>.<compromised domain>/?#<base64 encoded domain + user email>
Examples of the landing pages:
As you can see, the pattern from the original Microsoft article has evolved and is now including new patterns. We believe this to be the result of multiple threat actors changing up their pattern in order to avoid simple detections looking for the original pattern, just like we did.
microsoft.iaronlnie.com microsoft.tarrnac.com royalhomesvictoria.com habeeb.co.ug/main/ ivrisi.org.ge/main/ cbtb7-bkbd6.xyz/main/ 9sd-hh.xyz/main/
3. Other reCAPTCHAs
Finally, there are pages that we discovered that didn’t match any known pattern but are hosting the same phishing kit. Users are met at the reCAPTCHA page and then forwarded on to the corresponding phishing site to enter their credentials. Using http://urlscan.io, we were not able to determine how a user might have gotten to these pages.
What’s new about this research and why should we care?
As the Microsoft blog post pointed out, what’s new about this campaign is the use of open redirects in conjunction with reCAPTCHA. Not only are threat actors abusing domains with good reputation, they are actively attempting to thwart analysis of the redirect chain.
This type of campaign can be alarming for companies who invest in cyber training, especially in cases that recommend employees hover over the link to see where it is going before they click. In this instance, employees are likely to trust these domains because they are owned by legitimate companies. It has also been widely discussed how most users, when presented with a reCAPTCHA, believe a website to be more legitimate. This is not the first time this technique has been employed by phishing actors and it is not the first time it has been effective.
We know adversaries, especially ransomware gangs, use phishing and credential harvesting as initial attack vectors for compromising businesses. Through this research, we discovered the targeting of very large companies that if successfully phished, would absolutely make for great targets of a ransomware campaign. We provided some detection methods below for two reasons:
1. We want to give companies the ability to detect if any of their users were phished by doing retroactive hunts over the CRMs that were allowing redirection and the domains of the landing pages.
2. We want companies to know if their CRM or website is being abused to allow redirection which it should not be.
We’ve built out some https://urlscan.io queries, as well as regex for others to see the results that we’ve found. In order to pull more than 100 results, you will need a https://urlscan.io pro account.
We have produced the following REGEX query that will find all the relevant final destination (FD) phishing domains with high accuracy. We have also included the URLScan query syntax.
All phishing URLs abusing reCAPTCHA
filename:"/recaptcha/api.js" AND page.url.keyword:/(http)(s)?:\/\/([a-z0-9]+\.)?([a-z0-9\-])+\.[a-z]+\/(main|jump)\//
New domains continue to pop up daily, so we have provided a Jupyter Notebook for researchers to pull down and extract results from urlscan using our methodology.
Link: urlscan notebook
Call to action
When registering a reCAPTCHA for a website, the administrator must tie the website or websites they wish to secure to a Google account. This is good news for defenders because this means that once a malicious phishing domain that uses reCAPTCHA has been discovered, Google should be able to identify the Google account that is tied to that website and deactivate the account, effectively shutting down all other phishing domains that leverage this service. To be clear, the phishing domains and servers will still technically be operational, but once Google deactivates the associated account and until the malicious actor removes the reCAPTCHA integration, the site will be unreachable. With the already detected domains and reCAPTCHA site keys we have provided at the below GitHub link and the detection techniques we have outlined above, Google could potentially put an end to this campaign entirely.
Indicators of Compromise: