Category: Adversary Intelligence

Industry: Multiple

Region: Global

Motivation: Financial

TLP: AMBER

‍

Executive Summary

Threat actors are actively exploiting missing “X-Frame-Options” HTTP headers to run phishing campaigns targeting multiple companies globally. They embedded the companies’ domains in iframes and overlaid them with phishing login panels to harvest credentials.

The phishing scheme involved loading the victim’s domain within an iframe and displaying a fake login panel on top. Victims unknowingly entered their credentials into this overlay, which were then sent to the attackers via a Telegram bot using hardcoded API token and ChatID on the phishing page.

Mitigations include setting the ‘X-Frame-Options’ HTTP header to ‘DENY’ or ‘SAMEORIGIN’, implementing a Content Security Policy with the ‘frame-ancestors’ directive, using frame-busting scripts, applying the ‘SameSite’ attribute to cookies, enforcing HTTP Strict Transport Security (HSTS), and implementing multi-factor authentication (MFA).

‍

Analysis

We discovered a phishing page targeting multiple companies. Visiting the webpage served the victims with a login panel on the page. The URL of the phishing page was: hxxp[://]web-auth-ver-micha[.]hb[.]ru-msk[.]vkcs[.]cloud/trinity-B[.]html#victim_email@victim_domain[.]com

‍

‍

By taking a look at the source code of the phishing webpage it was clear that the page was loading the domain present in the victim’s email using an iframe. On top of that it loaded its own login page which allowed victims to enter login credentials. Thus, it is clear that the phishing page was abusing the websites that have not set the X-Frame-Options.

‍

The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

‍

‍

Once the victim entered the credentials on the login panel of the attacker on top of the iframe, the credentials were sent to a telegram bot via the telegram API. For this purpose the threat actors had hardcoded telegram API token and ChatID that allowed sending the data to a telegram bot controlled by the attacker.

‍

‍

Since the websites targeted by attackers had the X-Frame-Options HTTP Header missing, it made it possible for these websites to be loaded into an iframe making them vulnerable to clickjacking!

Once we got hold of the telegram token and the ChatID, we were able to dump all the credentials that the threat actor has collected so far on all the victims.

‍

Tools Used by Threat Actors

• ‍Hosting: For hosting, the threat actors use the cloud hosting provided by vk.com. This is a Russian hosting service that is being abused by the threat actors to spread malware.

‍

• Mass Mailers: From HUMINT we got to know that the threat actors also use a variety of tools to send phishing emails in bulk to the victims which are as follows:‍
  • Sendgrid: SendGrid is a cloud-based email delivery service that allows businesses to send transactional and marketing emails with ease. It provides reliable email delivery, powerful analytics, and scalable infrastructure to ensure your messages reach their recipients. ‍
  • PowerMTA SMTP Server: PowerMTA is a high-performance SMTP server software designed for efficient email delivery. It offers robust features for managing and optimizing large-scale email campaigns, ensuring high deliverability rates. ‍

‍

• Gammadyne Mailer: Gammadyne Mailer is a comprehensive email automation software that simplifies the process of managing large-scale email campaigns. It provides powerful tools for creating, sending, and tracking emails, ensuring efficient and personalized communication

‍

‍

‍

Impact

From the data we were able to dump from the telegram bot till 31st of July 2024, we have found 1,262 victims so far. These are the users that have clicked on the phishing page and submitted their credentials. Moreover, the most targeted domain is bigdutchmanusa.com which is a poultry company based in the USA.

Followed by globalnapi.com which is a pharmaceutical company in Egypt. indexcargologistics.com is the third most targeted domain which is a logistics and transportation company in Nairobi, Kenya.

‍

‍

Modus Operandi

From HUMINT we got to know that the threat actor hosts a few phishing pages hosted on VK Cloud and firebase. These pages load an iframe from the email mentioned in the url i.e. if the phishing URL is https://phishing.url/phishing.html#victim_email@victim_domain.com then the victim_domain will be loaded in an iframe. On top of that, there will be a login panel created by the attacker.

Once the victim enters his/her credentials into the attacker’s login panel, they are sent to a telegram via the telegram API embedded in the webpage. For this purpose the telegram bot that they created was called “MichaMicha”. The attackers can thereafter check the validity of the credentials from there. 

Moreover, via HUMINT we have also found out that in order to spread these fake domains, the threat actor uses tools like Sendgrid, “PowerMTA SMTP Server” OR “Gammadyne Mailer”. These tools allow the threat actor to send multiple phishing emails to different email IDs in one go.

‍

Attribution

Using the bot token and ID embedded in the phishing webpage, we were able to forward all the messages from the bot to our telegram chat with the bot. The first message was from the attacker’s telegram handle: @controlroom1717.

The telegram username of the bot being used by threat actors is: @michamichabot.

‍

Using HUMIT we also got to know that the attacker is located in Nigeria as the telegram account has been created using a Nigerian mobile number.

‍

We were also able to obtain another phishing firebase instance used by the threat actor to host phishing websites targeting Naver Works which is a Korean company. 

Phishing Firebase URL: hxxps[://]firebasestorage[.]googleapis[.]com/v0/b/vccv-f1c96[.]appspot[.]com/o/%EB%B0%94%20%EB%8B%B9%EC%82%AC%EC%9D%98%20%EC%A1%B0%EC%B9%98%20%EA%B2%B0%EA%B3%BC%EB%A5%BC[.]html?alt=media&token=da7594e4-02c5-499b-a040-8f17695f6286

‍

Mitigation

To mitigate the threat of clickjacking, where a threat actor loads a company's domain in an iframe and overlays it with a phishing login panel, several strategies can be implemented:

• Use X-Frame-Options HTTP Header: Set the `X-Frame-Options` HTTP response header to `DENY` or `SAMEORIGIN` to prevent your webpages from being loaded in an iframe.
• Content Security Policy (CSP): Implement a Content Security Policy with the `frame-ancestors` directive to control which sources can embed your content. This directive specifies valid parents that may embed a page using frame, iframe, object, embed, or applet tags.
• Frame Busting Scripts: Use JavaScript to prevent your site from being loaded in an iframe. i.e.

  if (top.location != self.location) {

      top.location = self.location.href;

  }

• SameSite Cookie Attribute: Use the `SameSite` attribute in cookies to restrict them from being sent along with cross-site requests. I.e. Set-Cookie: sessionId=abc123; SameSite=Lax
• Strict Transport Security (HSTS): Use HTTP Strict Transport Security (HSTS) to ensure your website is only accessed over HTTPS, protecting against man-in-the-middle attacks.
• ‍Multi-Factor Authentication (MFA): Implement multi-factor authentication to add an extra layer of security for user logins, making it harder for attackers to gain access with just a password.

‍

References

• Intelligence source and information reliability - Wikipedia
• Traffic Light Protocol - Wikipedia
• Other sources