Threat Intelligence

    Attackers Use Well-Known Infrastructure for Credential Harvesting  

    Mimecast’s Threat Research team has noticed an increase in attackers using well-known infrastructure to trick users into providing their personal credentials.  

    by Meni Farjon
    GettyImages-905771390-1200px.jpg

    Key Points

    • Credential harvesting is proving to be very profitable for cybercriminals, leading to a rise in attacks.
    • Cybercriminals are increasing their use of well-known infrastructure to harvest credentials.
    • Secure email gateways are uniquely positioned to stop these types of attacks.

     

    Editor’s note: Mimecast researcher Nir Steinfeld is credited with this discovery. 

    Stolen credentials are one of the most effective and common methods for breaching an organization’s defenses. Malicious actors steal these credentials through credential harvesting attacks, often via email phishing. Once in their possession, user credentials are used to gain easy access to systems or can even be traded or sold on the dark web to fund further malicious activities. 

    As part of their online attack efforts, cybercriminals deploy phishing websites, which is where users are taken to when they click on the malicious links in the phishing emails they receive. These fake sites, which often mimic real, well-known sites are where users put in their credentials, only to have them stolen. 

    These phishing websites were originally hosted on suspicious domains that are more likely to be rather easily detected by most security tools.

    To combat having their malicious websites discovered so easily, cybercriminals utilize infrastructure provided by well-known companies to hide the source of their webpages and make them seem like they use legitimate domains and certificates.

    Recent Mimecast threat research conducted by Nir Steinfeld detected a large campaign – over 10,000 webpages in less than a month – that takes advantage of Google infrastructure to bypass security layers, reach users, and then trick them into giving away their personal credentials.

    The campaign took place all over the world, including Europe, South Africa, the U.S., and Australia.

    The Technique

    Google Translate provides an online service for website translations. Providing a URL, it returns an identical webpage with its text translated to a desired language.

    Figure 1: Google Translate’s websites translation feature

    For example, a user can enter the URL for Der Spiegel, a German weekly news magazine, and get the whole page translated to any of the languages Google Translate supports.

    Figure 2: www.spiegel.de