Learning to phish: Increasing abuse of online education platforms

Welcome to the January edition of Cyber Adviser, a monthly readout of insights and expert analysis from the CyberCX Intelligence desk.

December by the numbers

Learning to phish: Increasing abuse of online education platforms

In December, we observed a threat actor abusing an online learning platform to impersonate and phish Australian and global organisations. The activity dated back to at least March 2021. The threat actor likely impersonated at least 12 Australian organisations and compromised mailboxes and web infrastructure related to other Australian organisations. Australia was targeted most heavily, with the legal services and construction sectors most impacted. We also observed targeting in the US. CyberCX notified impacted organisations.

This is not the first time CyberCX Intelligence has seen online learning platforms used in phishing campaigns. In June 2022, we helped disrupt a phishing campaign involving a different online learning platform. Phishing-focused threat actors are likely to continue to seek out online learning providers in future for free hosting. By using popular, established services, threat actors can evade common phishing detection rules.

The December activity cluster also involved use of IPFS, a peer-to-peer file storage protocol, for credential phishing pages. CyberCX Intelligence has been tracking increased use of IPFS for hosting malware payloads and phishing pages. We expect this trend will increase in 2023. IPFS offers threat actors takedown-resistant hosting and the ability to launch attacks without revealing their infrastructure. We recommend that organisations without an explicit business need for access to IPFS block or monitor connections to IPFS gateways at the domain level.

The limits of multifactor authentication (MFA): The rise of commodity info-stealing malware

AUNZ organisations and individuals increasingly use MFA to harden their defences, but cyber criminals are rapidly adapting. One way they are doing this is through the rise of commodity info-stealing malware. Info-stealing malware can steal passwords as well as user session tokens stored on infected computers’ browsers, which in some cases can then be used by attackers to bypass MFA. Info-stealing malware has become highly commoditised, available to buy as-a-service on cybercrime forums and chat groups.

CyberCX Intelligence has been tracking a substantial increase of info-stealing malware sales and use in follow-on attacks since early 2022. In mid-December, we observed threat actors advertising RisePro, a new type of information-stealing malware, on a Russian cybercrime forum. To protect against info-stealing malware, individuals should stop saving passwords in their internet browser and regularly clear browser cookies.

Higher-tier threat actors often dump info-stealing logs online after they’ve been reviewed or exploited to raise their profile among other criminals. This practice further increases the availability and lowers the cost of stolen credentials, increasing risk to AUNZ organisations. In November, CyberCX Intelligence observed a threat actor advertising 480,000 ‘master passwords’ from a commonly-used password manager for under AU$10 on Breach Forums, a cybercrime forum. We assess it is highly likely that the threat actor obtained these passwords from a dump of credentials stolen using RedLineStealer, an info-stealing malware distributed by multiple threat actors.

The growth of commodity info-stealing malware follows other recent advances in the cybercrime-as-a-service industry, which is increasing threat actors’ efficiency at subverting common cyber security controls. For example, since at least June 2021, threat actors have been advertising a two-factor authentication (2FA) and one-time-password (OTP) bypass service dubbed ParadiseOTP.

About CyberCX Intelligence

CyberCX Intelligence is a uniquely Australia and New Zealand focused capability, with unparalleled visibility into the AUNZ cyber threat landscape. Our intelligence leverages CyberCX’s significant operational and advisory experience including:

• Case files from incident responses managed by our Digital Forensics and Incident Response practice, the largest DFIR team in the region.
• Telemetry collected by our Managed Security Services practice across 100+ Australian and New Zealand client networks.
• Insights collected by our Security, Testing and Assurance practice across 3,000+ penetration tests annually.