Credential theft via phishing remains a significant threat to enterprises, particularly through tactics involving cloned login pages and PHP-based phishing kits. Recent campaigns have targeted employee portals, employing advanced techniques to obscure malicious activities and collect user credentials. Affected: employee portals, healthcare, Oracle, food service, financial sectors
Keypoints :
- Phishing remains a reliable method for credential theft in enterprise environments.
- Cloned pages targeting employee portals leverage PHP-based phishing kits.
- Credential validation has shifted from client-side to server-side, complicating detection.
- Findings include various domains impersonating legitimate login pages, such as myinfoaramapay.com, for Aramark.
- JavaScript is used to capture credentials and redirect users to actual portals post-theft.
- Infrastructure analysis indicates multiple domains hosted on the same IP address, complicating tracking efforts.
- Indicators suggest that threat actors utilize advanced tactics to bypass two-factor authentication mechanisms.
- Persistent, state-linked attackers are evolving their methods to maintain access.
MITRE Techniques :
- Phishing (T1566): A campaign utilizing cloned webpages to capture employee login credentials.
- Credential Dumping (T1003): Credentials are collected via JavaScript and sent to a backend server for processing.
- Data Obfuscation (T1001): Server-side validation is used to hide the actual flow of credential capture from detection systems.
- Traffic Reflector (T1572): Use of decoy content hosted on the same IP to mislead security efforts.
Indicator of Compromise :
- [IP Address] 80.64.30.100
- [IP Address] 80.64.30.101
- [Domain] myinfoaramapay[.]com
- [Domain] forurbestexper[.]com
- [Domain] hignmarkedmemb[.]com
Full Story: https://hunt.io/blog/server-side-phishing-evasion-employee-portals