A New Phishing Threat with Impersonated Pages Targeted Zoom and GitHub Users
GitHub Security faced a significant threat from actors targeting GitHub users through their phishing campaign after impersonating CircleCI. Their campaign aimed to harvest two-factor codes and critical user credentials. Many victim organizations were affected even though the security threat did not directly impact them.
2024-01-19
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Phishing attacks that impersonate platforms like Zoom and GitHub pose significant cybersecurity risks, leading to financial losses, operational disruptions, and reputational damage.
In 2023, phishing schemes were the most reported crime type, with 300,497 complaints, and for the first time, investment schemes reported the highest financial loss to victims.
The 2024 Data Breach Investigations Report by Verizon highlighted that ransomware and extortion techniques, often initiated through phishing, accounted for 32% of all breaches, underscoring the significant operational disruptions caused by such attacks.
In 2024, the UK's Information Commissioner's Office emphasized that organizations must do more to combat the growing threat of cyber attacks, particularly phishing, to prevent reputational harm.
These examples illustrate the severe consequences of phishing attacks, especially those impersonating trusted platforms, highlighting the need for robust cybersecurity measures.
How were the users targeted?
Have you ever received an email that looks so real, you almost clicked on it? Well, that's exactly what happened to some people. Hackers found a clever way to send fake emails pretending to be from a tool called CircleCI, which many use alongside GitHub for their projects. These emails were part of a trick to steal login details.
Let's break down their sneaky plan step by step, so you know what to look out for and stay safe.
- Fake Login Alert: The email said, "Hey, your CircleCI session is over. Please log in again with your GitHub details." This made users think they had to act fast to fix it.
- The Trick Link: When users clicked the link in the email, it didn't take them to the real GitHub login page. Instead, it took them to a fake one that looked just the same.
- Stealing Info: On this fake page, when users entered their username and password, the bad guys secretly collected this information.
- Two-Step Verification Trick: If users had two-step verification (like when you get a code on your phone to enter), the bad site asked for that, too. When users entered the code, thinking they were securing their account, they were actually giving the bad guys everything needed to get into their accounts.
- A Little Good News: People who used extra security keys (a physical device for logging in) weren't tricked by this. Those accounts stayed safe.
GitHub’s Response
On completing the company’s analysis, GitHub removed all the credentials added by the threat actor for affected users and reset passwords. The firm also notified all the affected people and organizations. All the threat actor accounts were suspended as the company continued to monitor for any malicious activity.
As the company continues to stay vigilant and respond to any potential phishing domains as soon as they are discovered, it also provides practical steps for users to take to protect themselves. To be safe, users are encouraged to reset their passwords and two-factor recovery codes, review tokens for personal access, and implement additional measures for account security.
Zoom Impersonated Page by FIN11 Threat Actor
In a different case reported by the CYFIRMA research team, impersonated web pages were discovered recently related to Zoom App. Since Covid-19 hit the global business world, Zoom has been the most downloaded app.
FIN11 is famous for its large-scale campaign accomplished through impersonated web applications. According to the report developed by CYFIRMA, the actor has been using Zoom download pages to install Vidar, an information stealer software that targets large attack surfaces. The team researching the matter also observed that the IP address used had previously been linked to AsyncRAT.
FIN11 planned to utilize Zoom’s global outreach to compromise many systems that use popular web applications. The threat actor was recently connected with CLOP ransomware, a data theft extortion, and post-compromise ransomware deployment.
How the FIN11 Threat Works
The FIN11 threat is all about tricking people by using fake updates for apps we use every day, like Zoom. This group is really good at making their fake messages and websites look real, which is how they sneak harmful software onto computers. Next, we're going to look closely at the "Technical Details" section to understand exactly how FIN11 pulls off their tricks.
This part is important because it shows us, step by step, what happens from the moment someone clicks on a bad link to when the unwanted software gets installed. Knowing this can help us be more careful and keep our computers safe.
Technical Details
Let's explore deeper into the mechanics of the FIN11 attack with examples to understand how this threat unfolds:
- Initial Contact: The attack begins with an email that closely mimics a legitimate communication from Zoom, complete with logos and language that would not look out of place in an official message. This email prompts you to download a new version of Zoom for the latest features and security updates.
- Phishing Link: The email contains a link that, while appearing to direct you to Zoom's official website, actually leads to a skillfully crafted imitation designed to deceive the user into thinking they're on the real site.
- Malicious Download: On this phishing site, the user is encouraged to download the supposed new version of Zoom. However, the downloaded file, named “Zoom.exe,” is malicious software disguised as a legitimate application.
- Execution of Malicious File: Upon running “Zoom.exe,” it secretly installs a secondary program, “Decoder.exe,” onto the user's computer without their knowledge. “Decoder.exe” is essentially a gateway for the attacker, enabling the download and installation of additional malicious payloads.
- Additional Malicious Payloads: After the fake Zoom app is on your computer, the bad app puts in "MSBuild.exe," a sneaky tool that helps bring in more harmful files called "DLLs." These DLLs are connected to "Vidar," a tool that steals info like passwords and bank details from your computer and sends it to hackers.
- Importance of Vigilance: This example highlights the critical importance of verifying the source of software downloads. Always ensure you are downloading apps directly from the official website or a trusted app store. Pay close attention to the URL of the website you are downloading from; it should match exactly the official URL of the service.
Understanding these technical details emphasizes the necessity of cybersecurity awareness and the need for users to exercise caution when downloading applications, especially from links received in emails.
How Can Keepnet’s Help From Phishing Attacks
Use our Phishing Simulator to protect your organization against social engineering attacks. Phishing tests are designed to allow employees to detect phishing attacks and their variants and report them appropriately. They are also used to detect weak links and measure the effectiveness of security awareness training programs. The Phishing Simulation module is fully-integrated with our Awareness Educator to automatically place employees who are caught by our phishing simulations onto appropriate e-learning courses to improve their vigilance to genuine phishing attacks.
Phishing Simulation focuses on problems that many industries have been facing today, and we provide a detailed report of how your system is secured by Keepnet Labs security awareness modules.
Watch Keepnet Lab's unified human risk management platform solutions and see how Keepnet can protect your organization againts varios social engineering attacks.
Editor's Note: This blog was updated on November 19, 2024.
SHARE ON