Imagery from Frankenstein horror movies of the bygone era are presenting themselves in a recent phishing campaign. As this new and unusual phishing campaign, is described by Microsoft as a monster called, ‘Franken-Phish.’ ‘Franken-Phish’ because it’s made up of bits of this and bits of that, just like Frankenstein. Some of these bits are for sale through publicly accessible scam sellers while other bits are reused and repackaged by other kit resellers. In other words, Franken-Phish like other phishing scams is aimed at stealing your passwords. And hackers achieve this by using pieces of code copied from other hackers’ work to build up their “phishing kit.” To clarify, a phishing kit is the various software or services designed to facilitate phishing attacks. These kits have been dubbed the ZooToday by Microsoft because of a text used by the kit.
To mimic the Microsoft 365 login page TodayZoo is using the WorkMail domain AwsApps[.]com, to pump out email with links to phishing pages, according to Microsoft.
These attackers, say Microsoft, create malicious AWS WorkMail accounts “at scale.” However, rather than get domain names that represent legitimate company names they are just using randomly generated domain names instead. That’s to say, a thinly budgeted crude phishing product but one that still gets noticed, large.
It’s come up on Microsoft’s radar because it impersonates their brand and uses a technique “zero-point font obfuscation” – HTML text with a zero font size in an email – to duck human detection.In July Microsoft saw a rise in zero-font attacks. In other words, sending off warning bells.
In April & May, TodayZoo campaigns usually impersonated Microsoft 365 logins pages and a password-reset request. But, only a few months on campaigns were duping workers into giving up credentials, using Xerox-branded fax and scanner notifications.
Firstly, most of the phishing landing pages were hosted within cloud provider DigitalOcean according to the discoveries found by threat researchers at Microsoft. These pages mimicked the Microsoft 365 signin page.
Secondly, and this is unusual, harvested credentials are stored on the site itself, rather than forwarded to other email accounts. This trait called TodayZoo phishing kit was picked up from previous phishing scams that focussed on credentials from Zoom video-meeting accounts.
Meanwhile, rather than a network of agents, Microsoft researchers are attributing this work to a single operation phishing group.
Microsoft said, “many phishing kits are attributed to a wide variety of email campaign patterns and, vice-versa, but TodayZoo-based pages exclusively use the same email campaign patterns. This leads Microsoft to believe it’s the work of an independent group rather than many groups, because subsequent email campaigns only surfaced as TodayZoo kits.
In addition, Microsoft says it informed Amazon about the TodayZoo phishing campaign. And they “promptly took action”.
Let’s hope this monster of a phishing campaign doesn’t become a well-known horror of our time.
