Fresh off the heels of their recent Zero-Day attack, Microsoft is now facing yet another security breach, this time in the form of phishing. In a detailed report published by Trend Micro, the security software company deep dives into the specifics of the attack dubbed “Operation Pawn Storm,” which targets particular organizations with economic and political undertones. The largest and most well known targets have included a United States military company entitled ACADEMI, an information technology company known as Science Applications International Corporation (SAIC), and the Organization for Security and Co-operation in Europe (OSCE), all of which were infiltrated using Microsoft’s Outlook Web Access.
According to the report, “the threat actors used three attack vectors – spear phishing emails with malicious attachments, an advanced network of phishing websites, and exploits injected into legitimate Polish websites.” Outside of infiltrated Polish websites that post deceptive links, the blueprint for the attacks is as follows. The hackers send emails to targets, which redirect users to phishing websites operating under names crafted to sound like popular conferences and or media companies. Visiting such sites, ostensibly legitimate, actually leads to the “execution of a non-malicious JavaScript,” which then redirects the Outlook application to a phishing page that appears to be part of the program.
This step-by-step action works largely because the Java script convinces users that their Outlook sessions have ended, thereby prompting them to reenter their login name and password. This, in turn, successfully conceals SEDNIT backdoor malware, which once downloaded, notifies its command and control center server before installing a keylogger and consequently stealing the aforementioned information. In turn, one’s entire mailbox is available to explore and exploit.
Furthermore, what makes these attacks particularly effective is that they function on any browser (Firefox, Safari, Chrome, Internet Explorer), need no vulnerabilities for proper execution, and are especially tricky because companies often allow employees to access official mailboxes through third party webmail services. The attacks, which Trend Micro maintains have been going on since 2007, should continue to exist in some form.