Threat Research

Phishing with Misfortune Cookies 

Netspi
Phishing with Misfortune Cookies 
A social engineering test used custom fortune cookies with a malicious link and a fake $50 Amazon gift card promotion to lure employees into entering credentials on a phishing site. The exercise showed that physical delivery methods such as cookies, QR codes, and mailed treats can bypass normal caution and still harvest credentials, even after the attacker was discovered. #Evilginx #Amazon #Denver

Keypoints

  • The attack used fortune cookies as a novel phishing delivery method instead of email or phone calls.
  • A fake company promotion promised a $50 Amazon gift card to encourage users to visit the malicious site.
  • The phishing site included a homepage for entering cookie codes and an impersonated login flow.
  • Evilginx was used to capture session credentials after users signed in.
  • 48 cookies were deployed, and 10 resulted in harvested employee credentials.
  • The test showed that even after the attacker was identified and removed, employees continued interacting with the phishing lure.
  • The article argues that security awareness training should account for physical phishing vectors such as QR codes and mailed packages.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – The lure directed victims to a malicious URL embedded in the fortune cookie and later could be hidden behind a QR code. [‘…a link pointing to the subdomain of the malicious site…’ / ‘…the link easily could be obfuscated behind a QR code…’]
  • [T1185 ] Browser Session Hijacking – The impersonated login flow was used to capture the victim’s session via Evilginx. [‘…from which we grab the session via Evilginx.’]
  • [T1204 ] User Execution – Victims had to take the cookie, enter the code, and follow the link/sign-in process for the attack to work. [‘…enter the code found within your cookie.’ / ‘Upon entering your code and checking, you would be prompted to sign in…’]
  • [T1589.001 ] Gather Victim Identity Information – The attacker relied on fake employee IDs and impersonation of legitimate staff to gain trust onsite. [‘…freshly minted fake employee IDs…’ / ‘pose as a legitimate company promotion.’]
  • [T1021 ] Remote Services – The fake login page captured credentials through a web sign-in flow to enable access to accounts/services. [‘…sign in an impersonated company login…’]

Indicators of Compromise

  • [Domains ] Malicious phishing infrastructure and lure site – cookiegiveaways.com, subdomain of the malicious site
  • [File/Artifact Names ] Physical lure materials and promotion branding – fortune cookies, fake employee IDs
  • [URLs ] Credential-harvesting landing page used in the test – malicious URL, company login page
  • [Hash/Count Context ] Deployment scale and outcome – 48 cookies used, 10 credential submissions
  • [Organizations/Brands ] Social engineering lure and branding references – NetSPI, Amazon

Read more: https://www.netspi.com/blog/technical-blog/social-engineering/phishing-with-misfortune-cookies/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint