A persistent social engineering threat faced by enterprises involves attackers trying to obtain login credentials for identity and access management (IAM), cloud resources or single sign-on (SSO)-enabled systems. If successful, these entry points can allow broader access to an organization, leaving the potential for data theft and ransomware. We’ve observed a significant surge in 2024 in this type of phishing taking place over short message service (SMS), which is also sometimes referred to as smishing. The perpetrators often execute these attacks by creating domains that appear to be, for example, a legitimate one for a company’s human resources (HR) system. The perpetrators would appear to be the diverse group of threat actors under the umbrella name “The Com,” which is short for “The Community.” It’s a term that encompasses a geographically diverse group of individuals, primarily young actors operating mostly from Canada, the U.S. and the U.K., that engage or were coerced to engage in cybercriminal activities such as subscriber identity module (SIM) swapping, cryptocurrency theft, commissioning real-life violence, swatting and corporate intrusions. This online community was linked as the source for a variety of high-profile breaches that occurred over the last years and has overlapping elements with other vendors' research and intrusion clusters such as Scattered Spider, UNC3944, Octo Tempest and Muddled Libra.
These adversaries’ activities include launching SMS phishing campaigns, using social-engineering tactics to counter multifactor authentication (MFA), impersonating information technology (IT) staff and calling victims directly. Although the tactics often fail, the persistent attempts and constant refinement means that security controls are frequently tested. Since mid-2022, these attacks, which often target telecommunications companies, identity providers and the business process outsourcing (BPO) industry, have gained steady and increasing attention due to their volume. Also, the movement of some of these English-speaking threat actors into ransomware, specifically an affiliate relationship with the ALPHV aka BlackCat ransomware group, raised particular alarm.
We analyzed a multitude of phishing domains and their corresponding phishing pages, which revealed at least 20 companies across a variety of sectors have been targeted this year. This report explores these campaigns, identifies the strategies these actors employ to manage their phishing infrastructure and provides a deeper understanding of their operational methods. For the purposes of this public post, some of the specific technical information has been removed, but for more information, please contact Intel 471.
Phishing Infrastructure
From Jan. 1, 2024, to Feb. 10, 2024, we identified 35 new phishing sites associated with the latest campaigns. Our analysis of these sites involved a comprehensive examination of the resources they use. We frequently encountered unique identifiers within these resources that enabled us to discover additional web pages using the same phishing kit.
In one instance, we observed the kit pull resources directly from the Okta IAM provider's website. This kit integrates logotypes of the entities being impersonated and leverages a specific Okta Sign-In Widget JavaScript (JS) file. This file and other pivoting elements allowed us to compile a unique list of related phishing domains. The website’s Hypertext Transfer Protocol (HTTP) title prominently displays the “Sign In” information for visitors.
Analysis of the Hypertext Markup Language (HTML) pages that contain the sign-in form revealed the action attribute in the form element specifying the URL of the server-side script responsible for processing submitted data. When a user fills out the form and presses the “submit” button, the collected data is sent to a script via the "POST" HTTP method. Additionally, we observed the label "okta-signin-username" purposefully was associated with terms commonly used in legitimate login forms for company employees, such as “User ID,” “SSO ID” or “Username [LAN ID].” This observation suggests the attackers likely conducted preliminary research before creating the phishing pages, aiming to closely mimic the original login pages as much as possible to convincingly deceive employees.
After victims input their login details, they are requested to enter their Okta verification code on a subsequent page structured as https://[BRAND] + [LURE]/factor.html. The new page was designed to harvest MFA codes from victims via another POST request.
Another notable technical element used to track the subject phishing kit consisted of a URL at the bottom of the HTML pages listing a subdomain with an offensive word. Members of “The Com” are known for using inappropriate language while interacting with victim organizations.
Regarding the infrastructure services used, the individuals or groups orchestrating these campaigns predominantly relied on AS-Choopa. Adversaries very likely rented virtual private server (VPS) infrastructure from Vultr, Namecheap, DigitalOcean, BLNWX and Unified Layer to host the phishing infrastructure.
These actors used Hosting Concepts BV for domain registration. We previously observed threat actors rely on other services such as Namecheap, Hostinger or DigitalOcean.
The domains were registered following specific naming conventions, such as incorporating a reference to the impersonated organization or appending a dash ahead of common business and IT terms such as “workspace,” “dev,” “plus,” “hr” or “sso.” The terms "hr" and "sso" each were responsible for 37% of all domains registered, indicating a significant focus on these areas in the naming convention of the phishing sites.
In every campaign we observed, employees of the targeted organizations received SMS messages that contained links to phishing sites that closely resemble the Okta authentication pages of their respective organizations. The smishing campaigns occurred with a certain preference for Thursdays and Fridays after working hours and leveraging HR-related themes to lure victims. We included the theme of an observed phishing campaign for reference.
Victimology
Analysis of the targeted sectors revealed entities within the telecommunications industry were targeted the most, followed by the technology, insurance, IT or technology consulting and retail industries. We observed 20 companies targeted.
Assessment
Our investigation into these recent campaigns revealed overlaps to previous operations linked to the Scattered Spider and other intrusion clusters. However, as we previously reported, Scattered Spider has become a catch-all term within the cyber threat intelligence (CTI) industry and informs patterns observed from multiple intrusions, which are not always performed by the same individuals. Consequently, multiple individuals or groups replicating techniques and tools likely are behind the reported phishing infrastructure. The decision to employ an HR theme in SMS phishing and the selection of related domains likely stems from the understanding that many companies conduct employee performance reviews toward the year's end. Therefore, employees might be more inclined to perceive requests to access the HR portal as legitimate during this period. This evidence, along with reporting from other members of the CTI community, punctuates the effectiveness of these hacking operations and demonstrates the methods used to quickly gain initial access and persistence to victim organizations. With the continued success of these campaigns and the limited resources required to conduct them, it is almost certain these threat actors will continue to leverage similar social-engineering techniques for initial access and likely will inspire other threat actors to adopt the same. Despite the focus of the CTI industry squarely on this threat cluster, there appears to be little change in tactics, techniques and procedures (TTPs), which suggests mitigations to guard against attacks have had limited success and that the user remains the weakest link in the security chain.
Recommendations
Phishing is one of the most common attack vectors cybercriminals use. Common mitigation strategies organizations can implement according to the MITRE Detection, Denial and Disruption Framework Empowering Network Defense (D3FEND) knowledge graph of cybersecurity measures include:
Harden
MFA: Though these intrusion clusters are effective at circumventing MFA, it still provides a useful layer of security that can delay an actor gaining access to a network.
User account permissions: Maintaining a minimal permissions list affords defense in depth, meaning only a select few credentials will provide meaningful access without privilege escalation.
Detect
URL analysis: Scrutinize URLs to ensure they are legitimate and if uncertain pass them to the security team for further analysis.
User behavior analysis: Establishing a baseline for user behavior allows security teams to identify irregular activity.
Prevent
User awareness: Train users to identify phishing pages and confirm they are accessing a legitimate website operated by the organization.
MITRE ATT&CK techniques
This report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework.
TECHNIQUE TITLE | ID | USE |
Resource Development [TA0042] | ||
Acquire Infrastructure: Domains | T1583.001 | Our researchers identified 97 unique phishing domains created from October 2023 to February 2024 that hosted phishing pages likely linked to cybercriminals operating in The Com. The phishing pages were registered via the Hostinger, Namecheap, Porkbun LLC and Hosting Concepts BV registrars. |
Acquire Infrastructure: Virtual Private Server | T1583.003 | Adversaries very likely rented VPS infrastructure from Vultr, Namecheap, DigitalOcean, BLNWX and Unified Layer to host the phishing infrastructure. |
Obtain Capabilities: Tool | T1588.002 | Adversaries obtained phishing kits to impersonate the Okta portal of targeted organizations. |
| ||
Initial Access [TA0001] | ||
Phishing | T1566 | Adversaries leveraged specially crafted phishing pages designed to impersonate the Okta login portal of business partners or targeted organizations. |
Valid Accounts | T1078 | The phishing campaigns targeted employees to harvest login credentials and MFA codes. |
Trusted Relationship | T1199 | Adversaries gained access by exploiting the established trust relationship between two distinct organizations. |
| ||
Credential Access [TA0006] | ||
Multi-Factor Authentication Request Generation | T1621 | Adversaries attempted to harvest MFA codes from victim employees. |
