Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users

AiTM Attack

The threat actors behind a large-scale adversary-in-the-middle
(AiTM) phishing campaign[1]
targeting enterprise users of Microsoft email services have also
set their sights on Google Workspace users.

“This campaign specifically targeted chief executives and other
senior members of various organizations which use [Google
Workspace],” Zscaler researchers Sudeep Singh and Jagadeeswar
Ramanukolanu detailed[2]
in a report published this month.

CyberSecurity

The AitM phishing attacks are said to have commenced in mid-July
2022, following a similar modus operandi as that of a social engineering campaign[3] designed to siphon
users’ Microsoft credentials and even bypass multi-factor
authentication.

The low-volume Gmail AiTM phishing campaign also entails using
the compromised emails of chief executives to conduct further
phishing attacks by the threat actor, with the attacks also
utilizing several compromised domains as an intermediate URL
redirector to take the victims to the landing page.

Google G-Suite Enterprise Users

Attack chains involve sending password expiry emails to
potential targets that contain an embedded malicious link to
supposedly “extend your access,” tapping which takes the recipient
to open redirect pages of Google Ads and Snapchat to load the
phishing page URL.

Beside open redirect abuse, a second variant of the attacks
relies on infected sites which host a Base64-encoded version of the
next-stage redirector and the victim’s email address in the URL.
This intermediate redirector is a JavaScript code that points to a
Gmail phishing page.

CyberSecurity

In one instance highlighted by Zscaler, the redirector page used
in the Microsoft AiTM phishing attack on July 11, 2022, was updated
to take the user to a Gmail AiTM phishing page, connecting the two
campaigns to the same threat actor.

“There was also an overlap of infrastructure, and we even
identified several cases in which the threat actor switched from
Microsoft AiTM phishing to Gmail phishing using the same
infrastructure,” the researchers said.

The findings are an indication that multi-factor authentication
safeguards alone cannot offer protections against advanced phishing
attacks, necessitating that users scrutinize URLs before entering
credentials and refrain from opening attachments or clicking on
links in emails sent from untrusted or unknown sources.

References

  1. ^
    phishing
    campaign     (thehackernews.com)
  2. ^
    detailed
    (www.zscaler.com)
  3. ^
    social
    engineering campaign     (thehackernews.com)

Read more