Skip to main content
Advertisement
Live broadcast
Main slide
Beginning of the article
Озвучить текст
Select important
On
Off

Shadow platforms began to offer a new tool for mass phishing: it allows you to send emails with the real addresses of large organizations in the sender's line. Such messages look like official correspondence and may bypass some of the standard mail checks. The service's developers claim that it has already been used to steal money from several financial companies. How the scheme works and why it is increasingly difficult for an ordinary user to distinguish a fake from a real letter is in the Izvestia material.

What tools do hackers sell?

A service for sender substitution and mass mailing began to be distributed on the darknet, experts from BI.ZONE Threat Intelligence told Izvestia.

"The platform for spoofing, a technology that allows phishing attacks using someone else's address, is actively advertised in shadow Telegram channels," the experts said. "The victim receives an email with the real email address of a legitimate organization in the "Sender" line."

телеграмм
Photo: IZVESTIA/Dmitry Korotaev

The new platform allows you to replace it with any other one. So, according to the creators of the tool, money has already been stolen from several financial exchanges with its help. To do this, the attackers sent letters complaining about alleged erroneous transactions and asked for a refund. According to the creators of the service, such requests were satisfied, and the fraudsters received the funds. The letters were sent on behalf of two banks.

"The developers of the platform emphasize that they do not register fake domain names that look like real ones, but differ by one inconspicuous sign, number, or symbol," the experts added. "As another important advantage, they point out the possibility of bypassing DKIM and SPF checks on the recipient's side - special email protection tools based on lists of trusted addresses and the sender's digital identifier."

график
Photo: IZVESTIA/Sergey Lantyukhov

At the same time, bona fide organizations are not responsible for the misuse of their names for criminal purposes and the resulting damage.

The new tool is dangerous because it allows you to create extremely plausible phishing emails, said the head of BI.ZONE Threat Intelligence Oleg Skulkin.

"Even very vigilant users will not be able to independently distinguish them from genuine ones, since real domains of real well—known companies are used for substitution," he noted. — In addition, malicious users use automatic image parsing to make the visual design of their emails as authentic as possible.

хакер
Photo: IZVESTIA/Polina Violet

Spoofing is not a new story, but in recent years it has become a well—developed industry, said Dmitry Streltsov, an analyst at Positive Technologies. A full-fledged Phishing as a Service (PhaaS) ecosystem has been formed on underground forums, where platforms are sold by subscription and technical support is also provided.

— The main danger is that a person cannot recognize a threat visually, — said the expert. — He sees a familiar address of a bank, regulator or partner, familiar corporate identity, correct text — and then follows the instructions. That is why such attacks are effective: a person is convinced that he is dealing with a real sender.

How the shadow market of ready-made tools works

The shadow market is actively turning into a service model: attackers sell not just tools, but turnkey ready-made cases, said Kirill Levkin, project manager at Softline Group (MD Audit). In addition to spoofing, phishing-as-a-service is popular — these are phishing page builders with automatic data collection. A separate trend is the use of AI: the generation of convincing emails, voice deepfakes for vishing attacks, and the automation of correspondence with the victim.

Tools for compromising business processes are also being developed, which help to conduct correspondence on behalf of an employee for a long time unnoticed, — Kirill Levkin noted. — An interesting and especially dangerous class are mechanisms for stealing session cookies and tokens, which allow bypassing even multi—factor authentication. In general, the market is moving towards lowering the entry threshold: sophisticated attacks are becoming available to almost anyone who is willing to pay.

пароль
Photo: Global Look Press/Jens Büttner

For years, users have been used to protecting themselves from understandable threats — not to click on suspicious links, not to download files from unfamiliar sites, not to enter passwords anywhere, Dmitry Streltsov recalled.

"The danger of executing commands independently remained out of sight, which is exactly what the attackers took up arms,— he added. — The ClickFix technique is based on social engineering: the user is pushed in various ways to start infecting his device himself. A fake CAPTCHA, instructions for opening a file, a notification about a program update, or an error message on the page can act as bait.

пароль
Photo: Global Look Press/IMAGO/Zoonar.com/Sirinarth Mekvo

ClickFix is sold on shadow sites as a separate service or as part of malware. A separate area is AI—based programs that allow you to control the victim's computer via chat with ordinary text commands. The operator formulates the task in the usual language: for example, he asks to find yesterday's PDF and send it to the specified recipient. Next, the model performs the necessary actions by itself — it searches for a file, opens the mail and attaches the document.

How not to become a victim of an attack

If the platform allows you to bypass DKIM and SPF checks, it can really help pass some of the spam filters and somewhat improve the effectiveness of scam mailings, says Ashot Oganesyan, founder of DLBI's data leak intelligence and monitoring service.

— However, it does not solve another problem of phishing emails — links inside the message may still lead to third-party sites, and not to the sender's official resource. Because of this, such emails can still end up in spam," the expert said. — At the same time, the possibility of bypassing DKIM checks looks doubtful: in recent months, there have been no reports of new vulnerabilities in this technology. The only exception is the Ghost-Sender vulnerability associated with Microsoft Exchange Online servers. At the same time, Russian organizations using import-substituted software do not face such a threat.

хакер
Photo: IZVESTIA/Alexander Kazakov

According to Oleg Skulkin, protection against such attacks is based on the analysis of the sender and related technical parameters. Mail systems evaluate the domain, the reputation of the source, and other signs indicating a possible forgery.

Attackers use not only spoofing, but also legitimate services: cloud platforms, web forms, file storage and trusted domains," the expert added. — Emails sent through such an infrastructure can successfully pass basic checks and not arouse suspicion.

Therefore, the protection strategy should include an analysis of the content of the letter. It is important for security systems to take into account not only technical indicators, but also the features of the message itself: manipulative wording, calls for urgent action, logical inconsistencies and other atypical elements.

ии
Photo: IZVESTIA/Yulia Mayorova

AI models that can analyze the sender's meaning, context, and behavior help identify such attacks. However, it is important for companies not only to improve their security mechanisms, but also to train employees to recognize dangerous emails: fake invoices, payment requests, notifications, and other attempts to mislead the recipient.

Переведено сервисом «Яндекс Переводчик»

Live broadcast