New Phishing-as-a-Service Platform Enables Cybercriminals to Generate Convincing Phishing Pages
A newly named phishing-as-a-service (PhaaS or PaaS) platform Greatness has been exploited by cybercriminals to target business users of Microsoft 365 cloud services since at least mid-2022, effectively lowering the bar of entry for phishing attacks.
“Greatness, for now, is focused solely on Microsoft 365 phishing pages, providing affiliates with attachment and link generators that create highly convincing bait and entry pages,” Cisco Talos researcher Tiago Pereira said.
“It contains features such as filling in the victim’s email address and displaying the appropriate company logo and background image, taken from the target organization’s original Microsoft 365 login page.”
Campaigns involving Greatness have predominantly manufacturing, healthcare and technology entities located in the US, UK, Australia, South Africa and Canada, with spikes of activity detected in December 2022 and March 2023.
Phishing kits like Greatness offer threat actors, novices or otherwise, a cost-effective and scalable one-stop shop, making it possible to design convincing login pages associated with various online services and bypass two-factor authentication (2FA) protections.
In particular, a genuine looking feed page works as a reverse proxy to harvest credentials and time-based one-time passwords (TOTP) entered by victims.
The entered credentials and tokens are then forwarded to affiliated Telegram channels to gain unauthorized access to the account in question.
The AiTM phishing kit also comes with an administration panel that allows affiliates to configure Telegram bots, track stolen information, and even create trapping attachments or links.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
What’s more, each affiliate is expected to have a valid API key in order to load the phishing page. The API key also prevents unwanted IP addresses from viewing phishing pages and facilitates behind-the-scenes communication with actual Microsoft 365 login pages under the guise of a victim.
“Working together, the phishing kit and API perform a ‘man-in-the-middle’ attack, requesting information from the victim that the API will then send to a valid login page in real time,” Pereira said.
“This allows PaaS affiliates to steal usernames and passwords, along with authenticated session cookies if the victim uses MFA.”
Findings come as Microsoft has started enforced number matching in Microsoft Authenticator push notifications starting May 8, 2023, to improve 2FA protection and fend off rapid bomb attacks.