Researchers Discover Sneaky Phishing Attacks on Credentials, Sold on Dark Web

A new type of PDF phishing attack has emerged, with analysts claiming that the attack originated from Western Africa based on the IP addresses evaluated during previous investigations. The attack embeds phishing URLs to the attached PDF that redirect users to a phishing platform that steal user credentials.

According to Silicon, dark web security specialists Flashpoint first discovered and investigated the newly emerged phishing attacks. Flashpoints analysts explained that the embedded links redirected users to credential-harvesting phishing sites that ultimately sold personal information on the dark web to anonymous buyers and criminals.

Ronnie Tokazowski, senior malware analyst at Flashpoint, particularly noted that business emails and accounts of professionals widely circulating on the internet and social media platforms such as Facebook, Twitter and LinkedIn are often targeted by the PDF phishing attack. Because attackers obtain necessary data to understand the identities of their victims, the phishing attack targets specific information that may be in demand in the dark web.

Some of the more valuable pieces of data being sold in the dark web include W-2 tax forms, credit card information, bank account data, and other personal information such as email addresses, names, addresses, phone numbers and social security numbers.

“In general, business email compromise (BEC) scams are widely viewed as a type of cybercrime that necessitates relatively minimal technical ability. Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity,” Tokazowski said in an interview.

The investigation of Flashpoint led by Tokazowski revealed that 73 PDF phishing attacks were conducted by the same group of hackers between March 28 and August 8. Within a span of less than five months, Flashpoint analysts noted that the hacking group was able to target a wide range of businesses and individual victims including universities, software developers, technology startups, retailers, real estate companies, churches and engineering organizations. The method used by the hacking group was identical in all of its attacks, which involved a PDF phishing link that stole user credentials from professionals.

According to Tokazowski, some of the PDF links were carefully crafted to lead victims to login demanding phishing sites that required users to input their personal information before viewing the PDF.

Once the hacking group gathered necessary information from its victims such as email addresses and passwords, hackers then used the email accounts of their victims to send messages to the contacts of victims. While the accounts used to send PDF phishing links were not considered to be legitimate by email service providers, messages sent with the accounts of victims were considered to be legitimate by the contacts of the victims.

“If valid credentials were submitted, the actors behind the phishing campaign would harvest them. Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts,” Tokazowski added.

In some instances, targeted phishing attacks on professionals and certain organizations can require more resources, expenses and time to carry out. But, information gathered in successful attacks can be sold in the dark web for a significant higher value, especially if the data can be used to blackmail victims in a direct manner.

Phishing attacks have proven to be an easy revenue generating source for hackers. Reports suggest that social media platform such as Facebook and Google also lost hundreds of millions of dollars due to phishing attacks. In March, Facebook and Google were tricked into paying a scammer that acted as a Taiwanese electronics supplier and the total sum amounted to over $100 million.

Dark web-involving phishing attacks can carry out operations at a much larger scale, with some analysts claiming that billions of US dollars have already been made in the sector.