ID Authentication Bypass and the Next Evolution in Phishing Campaigns

Written by

Phishing attacks have been around for decades. There’s a reason for their enduring popularity. The social engineering techniques on which they’re based expose a weakness most humans have when interacting online: our credulity. However, threat actors have become experts at updating their scams even as recipients become more sceptical of what they see online. That’s why phishing was the number one cybercrime type by victim count last year, according to the FBI.

Phishing was talked about through October, Cyber Awareness Month. It’s hard to tell the difference between legitimate and phishing emails, even with >20 years of experience. 

A recent dark web offering spotted by Recorded Future highlights the sophistication of modern phishing packages available to budding fraudsters and the increasing difficulty financial institutions and others have in successfully authenticating legitimate users.

Layers of Complexity

The threat actor in question, ‘Knyght,’ offers a range of custom and pre-built phishing pages for various banking targets. The sheer range of data a phisher could request via these tools is astonishing. It includes not only the usual suspects, such as account logins, payment card data, browser fingerprint and personal info such as email address, phone number, date of birth, and social security number, but also more advanced options. 

These include an ‘ID document upload,’ which harvests images of victims’ driver’s licenses and/or passports, enabling scammers to bypass ID checks commonly used by banks for loan applications. Also featured by Knyght is a ‘selfie cam’ designed to capture a victim’s selfie photo taken while holding an ID document. This opens the door to a potentially even wider range of fraudulent activity, given the number of websites and apps now using selfies to register and authenticate users.

That’s not all. The phishing packages offered by Knyght also feature a CAPTCHA challenge-response test. This works on two levels. It helps to instill confidence in the victim that they’ve been directed to a legitimate login page, while for the cyber-criminal, it will keep the phishing page clear of bots and crawlers. A further level of sophistication on the back end is an input validation feature which ensures that the victim can only proceed through account verification stages if they have entered legitimate values for each field of text. This will change dynamically as the page recognizes the type of device they’re using.

Simple to Operationalize

Even worse for businesses trying to defend against sophisticated account login and new account fraud is that it’s relatively easy to turn the above into a fully functional phishing campaign. All a threat actor needs to do is purchase the required template of a phishing page for a specific bank and then assign it to a domain under their control. Any successfully stolen data is then sent to a data archive under their control and their Telegram account or email address. 

Luring the victim is also the job of the threat actor, although there are tried-and-tested techniques for this, such as mass email phishing campaigns and more targeted versions using search engines and advertising on social networks. This is highly professionalized large-scale fraud and cybercrime.

Fighting Back

So, what can banks and other frequently targeted businesses like e-commerce providers and crypto specialists do to fight back? The first stage is educating customers to better spot the initial phishing email or social engineering tactic. Spam filters tuned to detect phishing indicators such as viruses, blank senders and keywords can also help. They should also be encouraged to install anti-malware and web filters to block malicious attachments and websites, respectively. 

On the corporate IT security side, threat intelligence can be a critical ally in the fight against sophisticated phishing. Monitoring for potential typosquatting domains that are weaponized in phishing attacks – including those of third-party vendors and partners with enterprise network access – is a good idea. You should also monitor for popular tactics, techniques and procedures (TTPs) of phishing campaigns – the more you know, the better prepared you are. 

The bottom line is that phishing-as-a-service (PhaaS) makes it dramatically easier for less technically sophisticated fraudsters to carry out phishing campaigns. As we’ve seen, these efforts now feature a wealth of sophisticated capabilities. It’s time to get back on the front foot by making powerful threat detection and response capabilities easier to procure and deploy.

What’s hot on Infosecurity Magazine?