In concert of yesterday’s podcast, this article can’t come soon enough. While not directly with the topic of yesterday’s podcast dealing with shopping and domains, two .icu and one .com domain is being used as part of a redirect chain as discussed in the article.
People are getting fake messages telling people that they are invited to a board of directors group. But when clicking the link, they’re redirected and asked to open some file which doesn’t open as expected.
Jaws Picture smart says:
The image shows a timeline of browser activity with several entries. It starts with a tab opened on “chrome://newtab/”. Then, navigation to a LinkedIn URL with a redacted profile link. Next, the user is redirected to a Google URL, also redacted. The user navigates multiple times to various URLs including “www.google.com”, “payrails-canaccord.ico”, and “firebasestorage.googleapis.com,” all with redacted paths. The timeline ends with navigation to a login page at “login.kggpho.ico” with a redacted query. There is a “Show all” option at the bottom.
The JRN’s Jared Rimer went to firebasestorage.googleapis.com to see if there was a main page to learn more about the supposed API, and we got a 404 page from Google.
Some of the malicious domains used in this campaign, seen by Push Security and BleepingComputer, include payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu.
The Firebase page pretends to be a “LinkedIn Cloud Share” portal containing various documents related to the board membership position and their responsibilities.
However, when attempting to click one of these documents, an alert appears stating that to access the document, they must click the “View with Microsoft” button.
The article continues:
According to Push, clicking on this button redirected the users again to login.kggpho[.]icu, where a Cloudflare Turnstile captcha was displayed. The researchers say this is used to block automated scanners before loading a fake Microsoft login page.
“Attackers are using common bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged),” explains Push Security.
“This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools.”
After solving the Cloudflare Turnstile, the visitor will see what appears to be a Microsoft authentication page, but is actually an Adversary-in-the-Middle (AITM) phishing page used to capture both credentials and session cookies.
Picture smart for Jaws says:
The image shows a Microsoft sign-in webpage. At the top is the Microsoft logo, followed by a “Sign in” title. Below is a field to enter an email, phone, or Skype username. Beneath that are links labeled “No account? Create one!” and “Can’t access your account?”. A blue “Next” button is visible on the right side of the text field. At the bottom is a “Sign-in options” link with an icon next to it. The page background features a light, abstract design.
When asking the tool which uses tools like ChatGPT among others what the URL might be, it replied and said:
The URL of the page is partially visible in the address bar at the top and reads:
“login.keggers.club” with “REDACTED” appended to the right.
According to the article, this is the second time that Push Security, the security company named herein, has seen LinkedIn phishing like this.
To read the entire article, please read LinkedIn phishing targets finance execs with fake board invites and let us know your thoughts.
Have you seen things like this in your messages? If so, how did you react?
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.