Akamai Diversity

The Akamai Blog

Gone Phishing For The Holidays

Written by Or Katz and Amiram Cohen

Overview:

While our team, Akamai's Enterprise Threat Protector Security Research Team, monitored internet traffic throughout the 2017 holiday season, we spotted a wide-spread phishing campaign targeting users through an advertising tactic. During the six week timeframe, we tracked thirty different domains with the same prefix: "holidaybonus{.}com". Each one advertised the opportunity to win an expensive technology prize - a free iPhone 8, PlayStation 4, or Samsung Galaxy S8.

The websites associated with this phishing campaign used a combination of social engineering techniques such as creating trust (by using the reputation of well-known companies) and dismantling suspicion (through IP verification and social sharing). They lead users to willingly give away sensitive information by asking them to answer three trivia questions and submit their email address in order to win one of the offered prizes.

 

This campaign peaked over Christmas week, although the first signs of it date back to November 2017. A few of the websites involved with this campaign are currently still active as of the time of publication. 

OverTime.png

Figure 1: Phishing domains traffic over time.

The identity behind those domains is unknown as they were registered with privacy protection. However, we know the majority of them were created on the same day: June 13, 2017. The creators most likely registered these domains months in advance to avoid the attention of security controls, and the association with malicious activity.

We discovered a relationship between the different phishing domains by using the Alexa Web Analytics platform, strengthening our assumption that all of these phishing domains are part of the same campaign. 

Holiday_Phishing_8.png

 Figure 2: Alexa's upstream phishing websites to holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}win (also phishing website)

 The data also reveals a significant upstream traffic relation between several legitimate websites that were redirecting to phishing websites. There are no traces of an abuse of injection of spam URL links to the phishing website, which makes us suspect that the phishing campaign is being distributed via a targeted advertising campaign.

The attack efficiency ratio, stemming from the relation between targeted users and the total amount of sampled users, is very high. This was a widespread campaign--so wide that some of these phishing websites were listed in the top 50,000 websites in the U.S., according to the Alexa ranking.

The Art of Deception

Phishing is all about the art of deception--making users feel that the experience is genuine and authentic. As mentioned earlier, this particular campaign had several steps that lead the users to willingly share sensitive information with the malicious actors behind the attack campaign. We review each one below.  

Step 1 - The Audio Greeting

In order to get the user's attention, the phishing landing page contains an audio message announcing that the user has been selected as a potential winner. 

Holiday_Phishing_1.png

Figure 3: Greeting page with audio announcement  

The phishing campaign is branded (we have redacted identifying information in this post), so it appears that it is operating on behalf of a well-known computer software company. Utilizing the software company's reputation gains trust from the users that it is a legitimate promotion. 

Step 2 - The Quiz

In order to "win" one of the prizes, the user is prompted to answer three multiple-choice questions:

  1. Who founded the computer software company?
  2. Where is the headquarters of the computer software company located?
  3. When was the computer software company founded?

In order to maintain the sense of trust with the user, each question appears with a result bar, highlighting the answers from other people who have also answered the question.

Holiday_Phishing_2.pngFigure 4: The quiz

However, even if a user submits a wrong answer, the site will mark it correct, showing us there are only "winners" in this experience.

Step 3 - The Win

Once the quiz is finished, the user is given a prompt to select a "treasure box" containing their prize.

In another bid to create a genuine sense of functionality to the contest, the website runs through a checklist that appears as though it's verifying your information. They supposedly verify the user's IP address to ensure they haven't already entered the contest, and display a "No previous records of your IP address found" message.

Holiday_Phishing_5.png

Figure 5: treasure box winner

 

Regardless of the "treasure box" selected, the winning prize is always an iPhone 8. This is important to note, since the site that users are redirected to after submitting their email address always indicates that they won an iPhone.

Phishing Success - Giving Sensitive Information      

When user excitement and trust are at their highest level, bad actors typically ask for users to give away sensitive information. In this campaign, it's their email addresses in exchange for their "prize". These emails will most likely be sold and later used by other bad actors.

    

Holiday_Phishing_6.png

Figure 6: Claiming the price required information

Additional Tactics I - The Socialization

The landing page of this campaign also includes reviews from "other users" saying they won and received prizes to make users feel like they are dealing with a legitimate experience. Using fake aliases with pictures of the actual "prize" is a technique that appears to satisfy the need for validation.     

Holiday_Phishing_3.pngFigure 7: Fake winners comments and pictures.

 

Additional Tactics II - Double Trouble

When we examined the URL of the phishing website, we noticed that the parameters contained part of the same "greeting message", which revealed the ability to create customized messaging.

Further inspection of those parameters revealed that the phishing website is vulnerable to Cross-Site Scripting (XSS) attack, where a Javascript malicious code can be injected and executed on the victim's browser, turning it into double trouble.

Holiday_Phishing_10.png

Figure 8: XSS "Hello World" Example on phishing website

Summary

Phishing attacks have been a part of the threat landscape for many years now, but the analysis above teaches us that these attacks are here to stay. We can see that threatening actors are becoming much more sophisticated by gaining their victim's trust, staying under the detection radar, and figuring out how to create an effective long-living phishing campaign.    

Phishing campaigns like this one are common and have been spotted numerous times in the past. These types of campaigns admittedly tend to pose limited risks to users, especially when compared to phishing campaigns that result in the targeted users downloading malware or having their login credentials stolen.

Nevertheless, despite the smaller risk, campaigns like these should not be overlooked or dismissed. Malicious actors who steal personal information, including email addresses, can use that information to execute email spam campaigns with the eventual intention of infecting users with ransomware or other types of malware. In addition, once cybercriminals have some basic information about people, it can be used to launch subsequent attacks to gather additional personal data that they can either use or sell.

As tempting as those "holiday bonus" website are, consumers should be educated to spot these tactics so they can avoid providing personal information to fake sites. And, if a user falls victim to these schemes and gives away their email address, they should understand the need to take extra precaution when reviewing emails and avoid clicking on links or attachments that arrive from unknown senders.

As an industry, we should join hands and fight back against such campaigns and share findings on these threats, take down the websites, and eliminate malicious advertisement campaigns as they sprout.

Social engineering scams like these, and others, are an unfortunately frequent offender in the current threat landscape. Being able to identify, block, and mitigate these threats in advance is now a critical requirement for any enterprise security team.

IOCs

Domains:

  • holidaybonus{.}com-4us-jog4{.}sales-gadget-promotion{.}online
  • holidaybonus{.}com-us1-jog1{.}holiday-discounted-prices{.}faith
  • holidaybonus{.}com-us1-jog1{.}sales-gadget-promotion{.}cricket
  • holidaybonus{.}com-us1-jog1{.}sales-gadget-promotion{.}date
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}bid
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}cricket
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}download
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}review
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}trade
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}webcam
  • holidaybonus{.}com-us2-jog1{.}sale-gadget-promotion{.}win
  • holidaybonus{.}com-us2-jog1{.}sales-gadget-promote{.}bid
  • holidaybonus{.}com-us2-jog1{.}sales-gadget-promote{.}review
  • holidaybonus{.}com-us2-jog1{.}sales-gadget-promote{.}trade
  • holidaybonus{.}com-us2-jog1{.}sales-gadget-promote{.}win
  • holidaybonus{.}com-us2-jog1{.}sales-gadget-promotion{.}cricket
  • holidaybonus{.}com-us2-jog1{.}sales-gadget-promotion{.}date
  • holidaybonus{.}com-us3-jog2{.}sale-gadget-promotion{.}cricket
  • holidaybonus{.}com-us3-jog2{.}sale-gadget-promotion{.}download
  • holidaybonus{.}com-us3-jog2{.}sale-gadget-promotion{.}trade
  • holidaybonus{.}com-us3-jog2{.}sale-gadget-promotion{.}webcam
  • holidaybonus{.}com-us3-jog2{.}sale-gadget-promotion{.}win
  • holidaybonus{.}com-us3-jog2{.}sales-gadget-promote{.}bid
  • holidaybonus{.}com-us3-jog2{.}sales-gadget-promote{.}review
  • holidaybonus{.}com-us3-jog2{.}sales-gadget-promote{.}trade
  • holidaybonus{.}com-us3-jog2{.}sales-gadget-promotion{.}cricket
  • holidaybonus{.}com-us4-jog3{.}sale-gadget-promotion{.}download
  • holidaybonus{.}com-us5-jog2{.}sale-gadget-promotion{.}bid
  • holidaybonus{.}com-us6-jog3{.}sale-gadget-promotion{.}bid
  • holidaybonus{.}com-us7-jog4{.}sale-gadget-promotion{.}bid

Leave a comment