Security News > 2021 > October > Microsoft Warns of TodayZoo Phishing Kit Used in Extensive Credential Stealing Attacks
Microsoft on Thursday disclosed an "Extensive series of credential phishing campaigns" that takes advantage of a custom phishing kit that stitched together components from at least five different widely circulated ones with the goal of siphoning user login information.
Phishing kits, often sold as one time payments in underground forums, are packaged archive files containing images, scripts, and HTML pages that enable a threat actor to set up phishing emails and pages, using them as lures to harvest and transmit credentials to an attacker-controlled server.
The TodayZoo phishing campaign is no different in that the sender emails impersonate Microsoft, claiming to be password reset or fax and scanner notifications, to redirect victims to credential harvesting pages.
Where it stands out is the phishing kit itself, which is cobbled together out of chunks of code taken from other kits - "Some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers."
Specifically, large parts of the framework appear to have been lifted generously from another kit, known as DanceVida, while imitation and obfuscation-related components significantly overlap with the code from at least five other phishing kits such as Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo.
"This research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit 'families,'" Microsoft's analysis read. "While this trend has been observed previously, it continues to be the norm, given how phishing kits we've seen share large amounts of code among themselves."
News URL
Related news
- Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks (source)
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)