In this attack, attackers are impersonating a Twitter security notification email, and the links contained in the email lead to a website used to phish user credentials.
This attack was targeted towards a specific individual who works at an organization that heavily leverages Twitter. This attack was intended to steal this individual’s Twitter credentials, and it is exactly this type of attack – never-before-seen, highly targeted, and sophisticated – that Abnormal Security’s solution is designed to detect and stop.
Quick Summary of Attack Target
Platform: Office 365
Email Security Bypassed: Proofpoint
Mailboxes: 5,000 to 15,000
Payload: Malicious Link
What was the attack?
- Setup: This attack impersonates an automated message from Twitter in order to steal user credentials.
- Email Attack: In this attack, the attacker impersonates a security notification email from Twitter. The sender email contains the Twitter brand name in the domain. The message states that there may have been a malicious login on the user’s account, and that to protect their account they must log in from the link provided.
- Payload: The link is wrapped with text and redirects twice. The first redirect is hosted on a dynamic DNS service, and the second redirect is hosted by a recently-registered anonymous domain that impersonates the Twitter landing page. The landing page is identical to the legitimate Twitter login page, and the domain contains the Twitter brand name as well.
- Result: If the user inputs their login credentials, the attacker can utilize this information to compromise the account.
Why is this attack effective?
- Urgency: By masquerading as a security notification, the attacker is able to inject a sense of urgency in this correspondence. The user’s main focus is to ensure the protection of their account, rather than dwelling on whether or not the email itself is authentic. Because the link is concealed with text, the user may hastily click the link to protect their account without realizing that the link directs to a fake Twitter login page.
- Convincing Email and Landing Page: The email appears to be automated notification, with the fake landing page appearing similar to Twitter’s actual login page. By impersonating a security notification email, the attacker gains a sense of credibility to the user because, by notifying the recipient of a case of a “bad” login, the recipient believes the email to be “good”. The section of the email “How do I know an email is from Twitter?” is crafted by the attacker in an attempt to legitimize this attack to further fool the target.
- Targeted Attack: This attack is highly sophisticated and unique as it targets a specific individual in this organization. This type of attack has not been seen anywhere else, and the domain of the payload link was not flagged as malicious by many search engines. Compared to the social media phishing campaigns Abnormal highlighted in a previous blog post, this particular attack stands out as it is very selective in who is the recipient of such a unique attack.