blog.checkpoint.com Open in urlscan Pro
18.164.52.54  Public Scan

URL: https://blog.checkpoint.com/security/sign-in-to-continue-and-suffer-attackers-abusing-legitimate-services-for-credential-the...
Submission: On June 21 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

<form id="search-form">
  <input type="image" src="/wp-content/themes/atoms/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq" name="stq" class="st-search-input" placeholder="Enter your keywords..." x-webkit-speech=""
    x-webkit-grammar="builtin:search" autocomplete="off" aria-label="Search Term">
</form>

<form id="search-form1">
  <label style="display: none;">Search</label>
  <input type="image" src="https://www.checkpoint.com/wp-content/themes/checkpoint-theme-v2/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq1" name="stq1" class="st-search-input" placeholder="Enter your keywords..."
    x-webkit-speech="" x-webkit-grammar="builtin:search" autocomplete="off" aria-label="Search Term">
</form>

GET /

<form action="/" id="searchform" class="search-form" method="get">
  <div class="form-group">
    <input type="search" name="s" class="search-form__input" autocomplete="off" placeholder="Search ...">
    <button type="submit" class="btn search-form__submit"><i class="atbs-atoms-icon-right-arrow"></i></button>
  </div>
</form>

Text Content

Free Demo! Contact Us Support Center Sign In Blog
 * Search
   * 
 * Geo Menu
   * * Choose your language...
     * English (English)
     * Spanish (Español)
     * French (Français)
     * German (Deutsch)
     * Italian (Italiano)
     * Portuguese (Português)
     * Russian (Русский)
     * Japanese (日本語)
     * Chinese (中文)
     * Czech (čeština)
     * Indonesian (Bahasa Indonesia)
     * Korean (한국어)
     * Dutch (Nederlands)
     * Polish (Polszczyzna)
     * Turkish (Türkçe)
     * Taiwan (繁體中文)
     * Vietnamese (Tiếng Việt)

 * Products
   * QUANTUM
     * Quantum Maestro
     * Quantum Lightspeed
     * Quantum Security Gateway
     * Quantum SD-WAN
     * Quantum Spark
     * Quantum IoT Protect
     * Quantum VPN
     * Quantum Smart-1
     * Quantum Smart-1 Cloud
     * Quantum Cyber Security Platform
   * CLOUDGUARD
     * CloudGuard Network
     * CloudGuard Private Cloud
     * CloudGuard Public Cloud
     * CloudGuard CNAPP
     * CloudGuard Posture Management
     * CloudGuard Workload
     * CloudGuard AppSec
     * CloudGuard Intelligence
     * CloudGuard Spectral
   * HARMONY
     * Harmony Endpoint
     * Harmony Connect (SASE)
     * Harmony Browse
     * Harmony Email & Collaboration
     * Harmony Mobile
   * HORIZON
     * Horizon MDR/MPR
     * Horizon XDR/XPR
     * Horizon Events
     * ThreatCloud
     * Infinity Portal
     * View All Products A-Z >
   * Increase Protection and Reduce TCO with a Consolidated Security
     Architecture DISCOVER
     Products Overview
 * Solutions
   * Cloud Security
     * Cloud Migration Security
     * Compliance in the Cloud
     * Cloud Threat Hunting
     * Developer Security
     
     --------------------------------------------------------------------------------
     
     Cloud Providers
     * AWS Cloud
     * Azure Cloud
     * Google Cloud
   * Network Security
     * Hybrid Data Center
     * SD-WAN Security
     * Zero Trust Security
     * IoT Security
   * Users & Access Security
     * Secure Access Service Edge (SASE)
     * Endpoint Security
     * Mobile Security
     * Anti-Ransomware
     * Anti-Phishing
     
     --------------------------------------------------------------------------------
     
     Security Operations
     * Zero-Day Protection
   * Industry
     * Retail
     * Financial Services
     * Government
     * Healthcare
     * Industrial Control Systems ICS & SCADA
     * Telco / Service Provider
     * Education
     
     --------------------------------------------------------------------------------
     
     Business Size
     * Large Enterprise
     * Small & Medium Business
     * Consumer & Small Business
     * Solutions Overview >
   * Increase Protection and Reduce TCO with a Consolidated Security
     Architecture DISCOVER
 * Support & Services
   * Support
     * Create/View Service Request
     * Contact Support
     * Check Point Pro
     * Support Programs
     * Life Cycle Policy
     * License Agreement & Warranty
     * RMA Policy
   * Training
     * Mind
     * Training & Certification
     * Cyber Park
     * Secure Academy
     * SmartAwareness
     * eLearning
     * Redeem CLC Credits
   * Services
     * Infinity Global Services
     * Professional Services
     * Account Management
     * Lifecycle Management Services
     * Security Consulting
     * Incident Response Services
     * Find a Freelance Certified Consultant
   * HackingPoint Training Learn hackers inside secrets to beat them at their
     own game. VIEW COURSES
 * Partners
   * Channel Partners
     * Become a Partner
     * MSSP Partner Program
     * Global Systems Integrators
     * SMB Partners
     * Find a Partner
   * Technology Partners
     * Featured Technology Partners
     * AWS Cloud
     * Azure Cloud
   * Partner Portal
     * Product Catalog
     * Renewal Tool
     * Partner Dashboard
     * Campaign Central
     * Campaign Marketplace
   * Francisco Criado Check Point's VP,              Global Partner
     Ecosystem
     Organization LEARN MORE
 * Resources
   * Resources
     * Content Resource Center
     * Product Demos
     * Product Trials
     * Customer Stories
     * Events
     * Webinars
     * Videos
     * Cyber Hub
   * Downloads & Documentation
     * Downloads & Documentation
     * Product Catalog
     * Renewal Pricing Tool
   * Cyber Security Insights
     * Check Point Blog
     * Check Point Research
     * Cyber Talk for Executives
     * CheckMates Community
   * 

 * Search
   * Search
 * Geo Menu
   * Choose your language...
   * English (English)
   * Spanish (Español)
   * French (Français)
   * German (Deutsch)
   * Italian (Italiano)
   * Portuguese (Português)
   * Russian (Русский)
   * Japanese (日本語)
   * Chinese (中文)
   * Czech (čeština)
   * Indonesian (Bahasa Indonesia)
   * Korean (한국어)
   * Dutch (Nederlands)
   * Polish (Polszczyzna)
   * Turkish (Türkçe)
   * Taiwan (繁體中文)
   * Vietnamese (Tiếng Việt)

Toggle Navigation

Blog Home > Security > ‘Sign in to continue’ and suffer : Attackers abusing
legitimate services for credential theft
Filter by: Select category Research  (520) Security  (803) Securing the
Cloud  (248) Harmony  (109) Company and Culture  (7) Innovation  (5) Customer
Stories  (4) Horizon  (1) Securing the Network  (3) Connect SASE  (4) Harmony
Email  (11) Artificial Intelligence  (9)
SecurityJune 19, 2023


‘SIGN IN TO CONTINUE’ AND SUFFER : ATTACKERS ABUSING LEGITIMATE SERVICES FOR
CREDENTIAL THEFT

ByCheck Point Team
Share
 * 
 * 
 * 
 * 
 * 

HIGHLIGHTS:

 * CHECK POINT RESEARCH (CPR) DETECTED AN ONGOING PHISHING CAMPAIGN THAT USES
   LEGITIMATE SERVICES FOR CREDENTIAL HARVESTING AND DATA EXFILTRATION IN ORDER
   TO EVADE DETECTION.

 * HTML FILES ARE ONE OF THE MOST COMMON ATTACK VECTORS AND ARE USED BY
   ATTACKERS FOR PHISHING, AND OTHER SCAMS

 * CHECK POINT SOFTWARE’S CUSTOMERS REMAIN PROTECTED AGAINST THIS ATTACK

INTRODUCTION

According to Check Point Harmony Email Researchers, credential harvesting has
continually been the top attack vector, with 59% of attacks reported. It also
plays a major role in ‘Business Email Compromise (BEC), ranging to  15% of
attacks made.

In order to steal and harvest the user’s credentials, phishing emails contain a
malicious URL or attachment. According to Check Point’s telemetry, more than 50%
of malicious attachments are HTML files. In order to trick the user, many of
those attachments are in the form of a disguised login page of known services
and vendors such as Microsoft, Webmail, etc.



Figure 1: Malicious attachments by file type. Source: Check Point Research

The user enters his credentials in the spoofed login form – clicks submit – and
the credentials are sent to the malicious actor, usually by a web-server or
Telegram’s API.
During the past few months, CPR have observed ongoing campaigns involving
thousands of emails which take advantage of legitimate services including
EmailJS, Formbold, Formspree and Formspark in order to harvest these stolen
credentials.
These services are all online form builders that allow you to create custom
forms for your website or web application and are used by many developers.
These services provide a user-friendly interface for building forms that can be
embedded on your website or application. They may offer various form field
types, such as text input fields, radio buttons, checkboxes, dropdown menus, and
more, to allow you to collect information from users in a structured way.
Once a user submits the form, the service will handle the processing of the form
data and harvest these stolen credentials.



Figure 2: Credential harvesting process

CREDENTIAL HARVESTING

Credential harvesting is a type of cyberattack in which malicious actors acquire
sensitive information such as usernames and passwords to gain initial access to
an organization or to sell it online. Many times, those attacks do not target a
specific organization but try to gather as many different usernames and
passwords to sell them online.



Figure 3: Dark web forum selling stolen credentials.

TECHNIQUE OVERVIEW

In the past, attackers used two main methods to harvest the credentials. The
first way is to use a PHP file hosted on a compromised site. However, in this
method, attackers are faced with the possibility of the site getting blocked by
network security solutions.
The second method is by using Telegram’s API but this method is widely known by
security vendors, which makes it more likely to be blocked.
This new method of using a legitimate form service’s API, which is also used by
many developers, makes malicious HTML files harder to block. By using this API,
the credentials can be sent to wherever the attacker chooses to. It could even
be to his own mailbox.

EMAILJS

Let us take EmailJS as an example. EmailJS is a service that allows developers
to send emails using client-side technology only without any server code. In
order to use their service, all one needs to do is –

 1. Connect an email address to the service.
 2. Create an email template, in order to decide how to send the email and to
    which email address.
 3. Use their SDK or API, to send emails using JavaScript.

The service is free up to 200 emails per month, and by subscribing you can send
up to 100,000 emails per month.
The service is legitimate and is used by more than 25,000 developers according
to their official website.



Figure 4: EmailJS official website

Here are two examples of how malicious actors are using this service to harvest
stolen credentials –



Figure 5: Phishing page using EmailJS

In figure 5, the attacker first uses “emailJS.init” with his public key and then
by using the function “sendEmail, which is triggered when the user submits the
form, and “emailjs.send” the attacker transfers the data to his email account by
mail.

 



Figure 6: Another example using EmailJS from the HTML file

In Figure 6 the attacker uses the EmailJS API directly to send himself the
victim’s credentials.
The above examples were used in the campaign we observed. Also, we found two
different EmailJS public API keys that were used in the campaign.

AN ONGOING CAMPAIGN – OVERVIEW

One of the ongoing campaigns we detected starts with a phishing email conveying
a sense of urgency from the user to make one open the attachment. The campaign
involved multiple versions of the email itself and a few different HTML
templates.



  Figure 7: Example of a phishing email used in the campaign

he attached file corresponds to the email that the victim received, and we saw
multiple versions of it.



Figure 8: HTML attachments masquerade as document and webmail sign in

To make the sign-in page seem more legitimate, the campaign author already fills
out the victim’s email address in the form, which is hardcoded in the HTML file.
Once the victim enters his credentials and tries to log in, the username and
password are sent straight to the attacker,  straight to his email inbox.



Figure 9: Credential harvesting process using EmailJS



Figure 10: Example of a HTML attachment using Formspark

CONCLUSION

We observed a rise in the use of legitimate services by attackers, which makes
it harder to defend against and can lead to credential theft in the
organization.

CHECK POINT CUSTOMERS REMAIN PROTECTED AGAINST THESE KIND OF PHISHING ATTACKS.

Check Point Threat Emulation customers are protected against this attack.
The speed and sophistication of evasive zero-day and phishing attacks requires
AI Deep Learning to predict and block malicious behavior without human
intervention.
Check Point Titan revolutionizes threat prevention and security management with
AI Deep Learning, advanced cloud services, integrated IoT security, and firewall
auto scaling performance for mission critical applications.

PHISHING PREVENTION

Check Point achieved an amazing score in phishing prevention (99.9%) in the
Miercom Benchmark report scoring 99.7% in malware prevention tests and nearly 0%
in missed detections of phising, malicious malware and zero-day phishing URLs.

HOW TO SPOT PHISHING EMAILS & STAY PROTECTED

Phishing attacks pose a significant threat to enterprise cybersecurity because
they are designed to exploit an organization’s employees, rather than
vulnerabilities in its software or cybersecurity infrastructure. The prevalence
of phishing attacks and the risk that they pose to an organization makes it
critical for an organization to take steps targeted specifically toward
protecting against phishing attacks, including:

 1. Security Awareness Training:Phishing emails are designed to trick employees
    into taking a certain action. Training employees to recognize and correctly
    respond to attempted phishing attacks is essential for mitigating the
    phishing threat.
 2. Email Filtering:Phishers will sometimes use a similar email to the
    legitimate one such as user@cornpany.com instead of user@company.com or even
    leverage malicious links. To check on this, hover over a link with the mouse
    and verify that it goes to the right place before clicking it. Many of the
    common phishing techniques, such as malicious links and lookalike email
    addresses can be detected by the software. An email filtering solution can
    identify phishing emails based on these warning signs and block them from
    reaching the intended recipient’s inbox.
 3. Scan for Malicious Attachments:Malicious attachments are a common means of
    delivering malware via email. Scanning for malicious attachments and
    evaluating them in a sandboxed environment enables an organization to detect
    and prevent this malware delivery.
 4. Watch for Spelling and Grammar:Phishing emails commonly contain spelling
    mistakes and grammatical errors. If an email sounds wrong or does not match
    the alleged sender’s voice, then it is probably a scam.
 5. DLP Solution:Some phishing attacks are designed to steal sensitive
    information from an organization via email. A data loss prevention (DLP)
    solution can help to detect and block this attempted exfiltration.

6. Anti-Phishing Solution: An anti-phishing solution will integrate many of
these technological protections as well as other anti-phishing features.
Deploying one provides an organization with comprehensive protection against
phishing threats.

 

IOCs

EmailJS Samples

053c0cd2f56b2d8276d0c5e11cbe3a5c96ec278d

d36908ce63f5386ddffaa390a0baef6a045e2254

FormSpark Samples

2c6fe45dbf760970b624b08cb1ff7bc5a5e21aa8

56b2d8a45e34384c4eb2c886037f22c9c90f3721

FormSpree Samples

b07876f8254667e0f023559eed548de7ad967941

4c4a0d818dff16566e4bbad0d3e3fbba18e7063d

FormBold Samples

f82fb2f5f17a5bad4a0dce32ceaea377fe78c905

5da1c26703a80b3f8e663461ef9d612b4ccdee38

 

 

0 295


YOU MAY ALSO LIKE

Security June 21, 2023


PHISHING TOOLS FOR PURCHASE: A CLOSER LOOK AT FACEBOOK SCAMMING GROUPS

By Gal Yogev Highlights:  Facebook groups are hosting scammers who ...
Security June 16, 2023


PREVENTING CYBER ATTACKS IS CRITICAL TO IMPROVE HEALTHCARE OUTCOMES

It’s become painfully obvious that cybersecurity is critical to enabling ...
Securing the Cloud June 16, 2023


PYPI SUSPENDS NEW REGISTRATIONS AFTER MALICIOUS PYTHON SCRIPT ATTACK

PyPI, the official repository for Python packages, has recently announced ...
Security June 15, 2023


MASSIVE GLOBAL SCALE PHISHING CAMPAIGN USING MALICIOUS PDFS, IDENTIFIED AND
BLOCKED BY NEW THREATCLOUD AI ENGINE

Highlights: Check Point has recently identified and blocked a massive ...


--------------------------------------------------------------------------------

Follow Us
YOU DESERVE THE BEST SECURITY™ ©1994-2023 Check Point Software Technologies Ltd.
All rights reserved.
Copyright | Privacy Policy

 




This website uses cookies in order to optimize your user experience as well as
for advertising and analytics.  For further information, please read our Privacy
Policy and ourCookie Notice.

Cookies Settings Reject All Accept


When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


PERFORMANCE COOKIES



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices