Phishing attack spoofs Twitter to steal account credentials


A new phishing campaign spotted by Abnormal Security attempts to trick people with a phony Twitter security notification.


Image: GrafVishenka, Getty Images/iStockPhotos

Phishing campaigns are a favored tactic among many cybercriminals because they’re relatively easy to set up and deploy. Because the phishing emails typically impersonate a well-known company or brand, they stand a good chance of trapping unsuspecting victims who have accounts with the spoofed entity. A new phishing campaign analyzed by the security provider Abnormal Security shows how the attackers are taking advantage of Twitter users to steal account credentials.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

Described in a recent blog post from Abnormal Security, this attack was aimed toward a specific person who works at an organization that heavily uses Twitter. The goal was to alarm this individual with an urgent security notification in an attempt to obtain their Twitter password.

Using the Twitter brand name and logo, the initial email itself impersonated a Twitter security alert by claiming that the recipient’s account was used to log into a different device in a different location, specifically a Windows 7 computer in Canada.

The email states that if this login came from the recipient, there’s no need to take any action. But the attackers likely realized that the device or location would raise a red flag. In that event, the user was urged to click a link to confirm their account.

Image: Abnormal Security

The link itself is obfuscated with text and leads to a couple of redirects if clicked. The first redirect goes to a site hosted on a dynamic DNS service, while the second redirect takes the user to a recently registered anonymous domain masquerading as the Twitter landing page. Both the domain and landing page contain the Twitter brand name. Of course, if the recipient takes the bait, their Twitter credentials fall into the hands of the attackers who will use them to compromise the person’s account.

This type of attack is designed to succeed on a few levels. First, the security notification tries to convince the recipient that there’s been malicious activity on their Twitter account. The attackers are gambling on a sense of fear to prompt the user into taking quick action. Second, the link is concealed with text, so the recipient is more likely to click on it without realizing that it takes them to a phony login page.

Third, the email contains a section called “How do I know an email is from Twitter?” to lend even greater legitimacy to itself. Fourth, both the email and fake landing page look like they would come from Twitter with the familiar brand name and logo. Finally, the attack is highly targeted. Abnormal Security discovered it deployed against a specific person, thereby avoiding a mass or bulk phishing campaign that might otherwise be blocked by a security gateway.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Phishing attacks target workers returning to the office


Emails with fake COVID-19 training materials are trying to trick employees into sharing their Microsoft credentials, says Check Point Research.


Image: GrafVishenka, Getty Images/iStockPhotos

The coronavirus has been a subject ripe for exploitation and abuse by cybercriminals with phishing campaigns, malicious websites, and phony apps. Now that organizations in some parts of the world are trying to reopen, recent phishing attacks observed by the cyber threat intelligence provider Check Point Research are targeting employees returning to the office.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

In a Thursday blog post, Check Point noted that organizations welcoming back workers are enacting testing programs and workplace rules to guard against COVID-19 infections. To prepare employees, many companies are offering webinars and training videos to explain the new rules and requirements. Of course, cybercriminals are aware of this trend and are actively exploiting it.

In phishing campaigns observed by Check Point, attackers are deploying emails and malicious files masquerading as COVID-19 training materials. One particular email tries to trap the recipient into signing up for a phony employee training seminar. Clicking the link in the email actually leads the person to a malicious website designed to capture their Microsoft credentials.

Check Point Research

But the level of cyberattacks exploiting COVID-19 vary based on each region and its return-to-work status. Areas such as Europe and North America, where organizations are returning to work, have seen a decline in the number of malicious coronavirus-related attacks. Areas such as Latin America and South Africa that are still grappling with the virus are seeing a rise in the number of such attacks.

Of course, cybercriminals are happy to pounce on any topic in the news to spread malware. Another phishing campaign spotted by Check Point is taking advantage of the current Black Lives Matter movement. In one specific attack seen in early June, emails were sent out with such subject lines as “Give your opinion confidentially about Black Lives Matter,””Leave a review anon about Black Lives Matter,” or “Vote anonymous about Black Lives Matter.”

The emails contains a file attachment in the form of a Microsoft Word document named “e-vote_form_####.doc,” with the #### representing different digits. This attachment plays host to two malicious URLs, and clicking on it launches the Trickbot malware, a trojan designed to steal information from the targeted machine.

Since the pandemic started around the beginning of 2020, the number of coronavirus-related cyberattacks have gone down. Such attacks fell to 130,000 per week during the first week of June, a drop of 24% from the average number in May. But the number of overall weekly cyberattacks in June have increased by 18% from May.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Phishing attacks impersonate QuickBooks invoices ahead of July 15 tax deadline


Targeting the CEO and others in an organization, the attacks spotted by cybersecurity firm Darktrace were detected due to artificial intelligence.

Image: designer491, Getty Images/iStockphoto

Phishing campaigns typically use a few different tactics to compromise their victims. The initial emails usually spoof a company, brand, or product potentially used by the recipient. Often such emails pretend to come from a fellow employee or trusted external partner. Also, these emails sometimes are directed toward a specific individual within an organization, such as a C-level executive or someone with financial control. A recent phishing attack observed by Darktrace used all of those methods in an attempt to deploy malware.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

The campaign analyzed was aimed at a cutting-edge technology company, a tempting target for cybercriminals looking for maximum profits. In the first wave, the cybercriminals spoofed QuickBooks, a product commonly being used in advance of the July 15 tax deadline. In the initial phishing email, the sender claimed to be from QuickBooks maker Intuit with the address

Image: Darktrace

The email contained a file attachment masquerading as a legitimate monthly invoice that the organization would normally receive. This attachment appeared to be a standard Microsoft Office document but one with a macro designed to infect the targeted system with malware. The attack was directed toward several employees across multiple departments in the organization who had access to confidential information.

A month later, a second attack was launched against this same organization. This time, the attacker was able to compromise the email address of an accountant to send a phishing email directly to the CEO. In this instance, the email contained a Skype voicemail message as a way to coax the CEO to enter their login credentials on a phony Skype page.

“The fact that these attacks specifically targeted the CEO and only individuals who had access to the company’s research and intellectual property shows that this was a well-planned and meticulously executed attack,” Darktrace said in its report. “The emails were highly targeted and bespoke to the individuals, spoofing platforms they were known to use. We can assume information was leveraged from social media or even previous breaches to craft these emails.”

Since the attacks were ultimately unsuccessful, Darktrace wasn’t sure of the motives behind the campaign but was able to speculate.

“Their goal with the first wave seemed to be gaining access–either via malware or compromising account credentials,” Justin Fier, director of Cyber Intelligence & Analytics for Darktrace, told TechRepublic. “Given this was a technology company with invaluable IP (intellectual property), and that the attackers targeted the CEO and others involved with research with the second wave of attacks, it is likely that they were after more than just financial information, but were instead seeking to gain access to the company’s IP.”

Though both attacks snuck past traditional security solutions, the artificial intelligence (AI) component in the cybersecurity defense from Darktrace stopped each one. AI detected that the source of the spoofed emails was an IP address in Italy, which is outside the range of addresses permitted by Intuit to send email on its behalf. Darktrace also found these attempts suspicious compared with the SPF records normally assigned to Further, the AI component determined that it would be unlikely for the exact same email to be sent to so many different recipients across different departments within the organization.

Due to the AI security feature, the attack failed to gain a foothold in the organization. But the spoofing of a common item like a QuickBooks invoice still is cause for concern.

“This attack was clearly launched by an advanced group, with the group’s ability to so closely spoof Intuit’s platform especially concerning,” Darktrace said in its report. “As we approach the extended tax deadline of July 15, the group could easily launch more attacks–spoofing TurboTax to trick countless individuals, or target additional companies with fake QuickBooks invoices.”

How can organizations and individuals best protect themselves from these types of phishing attacks?

“Traditional email security tools will block spear-phishing attacks that have been seen before, but targeted and novel campaigns are often entirely unique in their content, exploiting the latest trending topic and leveraging specific details about a company,” Fier told TechRepublic. “In the continuous cat-and-mouse game with cyber-intruders, AI is capable of making accurate judgements about which emails are legitimate. In this specific instance, AI detected that the source location of the emails and the group of recipients was highly unusual, automatically blocking these illegitimate communications from even reaching the inbox in the first place.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Microsoft 365 phishing campaign exploits Samsung, Adobe, and Oxford University


The attack redirects users through legitimate websites in an attempt to capture their Microsoft credentials, says Check Point Research.


Image: weerapatkiatdumrong, Getty Images/iStockphoto

Microsoft is a
popular brand for cybercriminals

to impersonate in phishing campaigns. The company’s products are used by a vast number of people, both personally and professionally. Plus, gaining access to someone’s Microsoft credentials can open the key to an array of associated websites and services. One particular campaign analyzed by cyber threat intelligence provider Check Point Research redirected people through a series of legitimate websites in an effort to steal their Microsoft credentials.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

In a blog post published Thursday, Check Point described the method in which attackers exploited one of Oxford University’s mail servers to send the initial email, abused an Adobe Campaign redirection tool, and then used a Samsung domain to take users to a Microsoft Office 365-themed phishing website. The goal was to take advantage of legitimate sites and services in an effort to evade security software. First spotted in April, 43% of the attacks targeted European companies, while the rest were found in Asia and the Middle East.

Most of the emails observed came from multiple addresses that belonged to legitimate subdomains from different departments at the University of Oxford. By using Oxford’s SMTP servers, the attackers were able to sneak past the reputation check for the sender’s domain. They could also generate as many email addresses as they needed.

The sent email itself claims to offer missed voice mail related to the recipient’s Office 365 account with references to Office 365 and Microsoft and even a phony “Message from Trusted server” notice at the top. The email prompts the recipient to click on a button to listen to or download their missed voice messages. Clicking on that button then takes unsuspecting victims to a phishing page that asks them to sign in with their Microsoft account.

Image: Check Point Research

Behind the scenes, however, the trip between the email and the phishing page goes through several steps. First, users are redirected to an Adobe Campaign server. Offered by Adobe to email marketers, Adobe Campaign has been exploited in other phishing attempts to add legitimacy to URLs used in malicious messages.

In this instance, the link in the email directs people to an Adobe server used by Samsung during a 2018 Cyber Monday marketing campaign. By taking advantage of the Adobe Campaign link format and a legitimate Samsung domain, the attackers attempted to elude security protection based on reputation, blacklists, and URL patterns.

Next, the attackers redirect users to one of several compromised WordPress sites that contain malicious redirect code. Adding this layer is another way to evade security products as the URL in the email points to a seemingly legitimate WordPress site rather than a dubious phishing page.

As the final step, the phishing page is located on one of the compromised WordPress sites. Created using JavaScript, this page looks like a legitimate Microsoft login page that prompts for the person’s username and password.

Image: Check Point Research

To elude security alerts or blocks, the attackers reached into a clever bag of tricks. Using an Oxford email server to send the initial email helped them bypass reputation filters. The links within the email pointed to a legitimate domain owned by Samsung. And a series of redirects resulted in a concealed phishing page.

Image: Check Point Research

“What first appeared to be a classic Office 365 phishing campaign turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims,” Lotem Finkelsteen, Check Point manager of threat intelligence, told TechRepublic. 

“Nowadays, this is a top technique to establish a foothold within a corporate network. Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords, and even addresses of a company’s cloud assets. To pull the attack off, the hacker had to gain access to Samsung and Oxford servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.”

To protect yourself against phishing attacks that exploit Microsoft 365 and other cloud services, Check Point offers three tips:

  1. Use different passwords for your cloud application. Segregation protects your assets when one is exposed.
  2. Use cloud and mail security solutions. The fact that these campaigns thrive proves that native security solution are easy to bypass. Use cloud and mail security solutions to remove threats to your email and to protect your cloud infrastructure.
  3. Don’t enter your credentials when you didn’t expect to do it. Often, it’s a scam in disguise.

Roger Grimes, data driven defense evangelist for KnowBe4, also has some advice to share.

“Phishing emails sent from a compromised trusted third party have been on the rise for at least two years,” Grimes said. “When I talk to CIOs, they say this is the type of phishing email that they see increasing the most and the one that worries them the most. Traditional anti-phishing advice like ‘Don’t trust email coming from people you don’t know’ or ‘Don’t open file attachments from people you don’t know’ doesn’t work. These days, phishing emails are coming from people and brands you trust and have ongoing relationships with.”

To combat these latest phishing threats, Grimes suggests the following steps:

  1. Educate users about these types of attacks coming from compromised trusted third parties.
  2. Implement Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC to ensure that the sending domain in the email is really the domain it is coming from.
  3. Educate users to care more about the particular request than the sending party it is from. If the request is unexpected and requesting an action never requested before, then it should be considered suspicious and investigated more before performing the requested action.
  4. Most of these types of phishing emails have “stressor events” in them, telling the user they need to do something immediately, or else something irreversibly bad will happen. Teach end users to be suspicious of all emails containing stressor events. If an email arrives saying you need to act quickly, that’s the time to stop and think before you act.
  5. Lastly, tell users to call the legitimate sender when something seems unusual. Make it a policy. They should call using pre-defined phone numbers and not rely on any phone numbers or contact information in the email.

Microsoft Weekly Newsletter

Be your company’s Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets.
Delivered Mondays and Wednesdays

Sign up today

Also see