Listen to this blog post below

For obvious reasons, banking and financial institutions have always been easy targets for malicious actors. Microsoft has recently uncovered banking AitM phishing and BEC attacks to expose the underbelly of the cyber threat landscape affecting the financial industry.

Threat actors are after money, and where better to get it than from banks and financial institutions? Banks have always been vulnerable to phishing attacks and other forms of cyber threats, with the primary objective of the adversaries being to steal critical information and financial assets.

Microsoft recently revealed a massive cyber threat operation involving multi-stage adversary-in-the-middle (AitM) phishing and BEC (business email compromise) attacks.

 

Discovery of the New AiTM Attack

In a recent report, Microsoft revealed that the AitM cyberattack originated from a compromised service vendor and ballooned into a series of AitM attacks and subsequent BEC attempts spanning multiple banks and financial organizations.

 

banking system attacks

(Source – Microsoft)

 

Microsoft has tracked the attack and named it Storm-1167 while exposing the cyber attacker group’s use of an indirect proxy to launch it successfully and affect banks and financial institutions.

The sophistication of the AitM attacks is evident from the innovative use of the indirect proxy that enables the malicious actors to maneuver the phishing pages to their intended targets and organize session cookie theft.

 

Modus Operandi of the AiTM Cyberattack

This attack uses a novel modus operandi different from the standard AitM campaigns, where the decoy pages act as a reverse proxy to exfiltrate personal credentials and time-based OTPs that victims enter to access their accounts.

However, Microsoft observed similarities with regular banking phishing attacks where the victims were presented with website pages mimicking the login page of the targeted application hosted on a cloud service.

Nevertheless, the purported sign-in page contained resources from a maliciously controlled server. It initiated an authentication session using the victim’s credentials with the target application’s authentication provider.

The attack originates with the usual phishing email directing to a malicious link that redirects the victim into accessing a spoofed Microsoft sign-in page that steals the credentials and TOTPs the users enter to access their account.

 

phishing

(Source – Hackernews)

 

It further sets up a replay attack where the stolen credentials and session cookies are used to impersonate the user and infiltrate their email inbox. Subsequently, it abuses access to open sensitive emails and orchestrates BEC attacks. The attack becomes more sophisticated by adding a new SMS-based 2FA method to the target account, allowing it to sign in using the stolen credentials without attracting any suspicion.

 

sophisticated attacks

(Source – Hackernews)

 

The Scope of the AiTM Attack

Microsoft observed that the malicious actor initiated a mass spam campaign in this incident to send over 16,000 emails to the compromised target’s contacts within and outside the organization.

The sophisticated attack declares its intent of financial fraud by displaying the complexity of banking AitM phishing attacks and BEC threats that can abuse the trusted relationship vendors, suppliers, and partner organizations share.

 

Tactics Employed by the AiTM Attack

Microsoft warned a month ago of a surge in BEC attacks. It exposed malicious actors’ evolving tactics, including using platforms like BulletProftLink to create massive nefarious email campaigns

 

 

This attack differed from others because the adversary exhibited good care to minimize detection and establish persistence by opening and responding to incoming emails and deleting them from the inbox afterward.

Subsequently, a second AitM attack was initiated to target the recipients of the phishing emails to harvest their credentials and launch more phishing campaigns using the email inbox of one such compromised user account.

Another unique tactic includes using residential IP addresses to make these malicious attacks appear locally generated.

 

Final Words

Due to their innovative tactics, the new AiTM/BEC attacks are more pernicious than one thinks. The attackers have localized addresses to support their malicious activities.

 

phishing tactics

 

Besides compromising usernames and passwords, malicious actors hide their movements and circumvent challenging flags and exposed gateways to launch more attacks. Hence, financial organizations must be more vigilant in protecting their valuable information assets using the right strategies and cybersecurity safeguards.

Pin It on Pinterest

Share This