June 15, 2023

Microsoft Defender Experts have uncovered a new multi-stage phishing attack targeting banking and financial institutions. The attack, which is believed to be the work of a threat actor known as Storm-1167, uses a variety of techniques to compromise user accounts and steal sensitive financial information.

The attack starts with a technique called AiTM (Authentication in the Middle). The attacker tricks users into visiting a fake website that looks like a legitimate service’s login page. By doing this, they can steal sensitive information like usernames, passwords, and credit card details.

The attacker tricks the user by sending an email with a harmful link. When the user clicks the link, they are taken to a fake login page that looks real. If the user enters their login information, the attacker can steal their account details, like passwords and Social Security numbers. They can also install malware on the user’s computer to gather more information, such as credit card numbers and bank statements.

To control the victim’s account longer, the attacker changes the account settings and adds a new authentication method without needing to re-authenticate. Then, they target the victim’s contacts by launching a large-scale phishing campaign.

The attacker uses information from previous emails to make the emails seem legitimate. They even resend to skeptical recipients, falsely confirming the emails’ legitimacy. To avoid detection, they delete undelivered, and out-of-office replies systematically.

The sources for this piece include an article in TechRepublic.