{"id":51951,"date":"2024-08-09T13:38:05","date_gmt":"2024-08-09T17:38:05","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51951"},"modified":"2024-08-09T13:38:05","modified_gmt":"2024-08-09T17:38:05","slug":"phishing-as-a-service-onnx-marketplace","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/phishing-as-a-service-onnx-marketplace\/51951\/","title":{"rendered":"Automated phishing"},"content":{"rendered":"

Researchers have discovered a phishing marketplace called ONNX Store<\/a>, which gives cybercriminals access to tools for hijacking Microsoft 365 accounts, including a means for bypassing two-factor authentication (2FA). This enables threat actors to crank out phishing attacks on both Microsoft 365 and Office 365 email accounts. Corporate information security teams should be aware of this threat and tool up with anti-phishing protection. Let\u2019s take a closer look at the danger\u2026<\/p>\n

A malicious attachment with a QR code and 2FA bypass<\/h2>\n

The researchers\u2019 report describes an attack using ONNX Store phishing tools that targets employees of several financial institutions. First, the victims receive emails seemingly from their HR departments on the topic of remuneration as bait.<\/p>\n

The emails contain PDF attachments containing a QR code to be scanned in order to gain access to a \u201csecure document\u201d with \u201cvital information\u201d about the recipient\u2019s salary. The idea here is to get the victim to open the link not on a work computer \u2014 which most likely has anti-phishing protection, but on a personal smartphone \u2014 which may well not.<\/p>\n

The link opens a phishing site mimicking a Microsoft 365 login page. Here, the victim is asked to enter their username and password, followed by a one-time 2FA code.<\/p>\n

\"Phishing<\/a>

The fake Microsoft login page prompts victims to enter their credentials and a one-time 2FA code. Source<\/a><\/p><\/div>\n

All of this information of course goes straight to the attackers. One-time 2FA codes usually have a very short lifespan \u2014 often just 30 seconds. Therefore, to speed up delivery of information, the phishing kit uses the WebSocket protocol, which provides real-time communication.<\/p>\n

Armed with the stolen credentials and still-valid code, the attackers immediately log in to the account and gain full access to the victim\u2019s correspondence. This access can then be exploited for business email compromise (BEC)<\/a> and other attacks.<\/p>\n

Phishing-as-a-service: plenty of phish in the sea<\/h2>\n

The hub of this phishing operation is the Telegram instant messenger. ONNX Store embraces automation to the fullest \u2014 all interaction with users is through Telegram bots.<\/p>\n

Its creators provide phishing services on a subscription basis. The prices are quite low: for example, a monthly subscription for harvesting Microsoft 365 account passwords would cost a potential attacker $200 without a 2FA bypass \u2014 $400 with it.<\/p>\n

Even small-time cybercriminals can afford that. For this modest investment, they get access to a set of finely-tuned phishing tools. All they have to do is to select an attackable target and devise a monetization scheme.<\/p>\n

How to protect your organization against advanced phishing<\/h2>\n

It\u2019s the low-entry threshold that makes the phishing-as-a-service model such a threat: the circle of cybercriminals with dangerous tools at their disposal becomes much wider. Therefore, we strongly advise that you take preemptive measures against an advanced phishing attack on your organization. Here\u2019s what we recommend:<\/p>\n