Research Saturday 12.17.22
Ep 262 | 12.17.22

Hijacking holiday spirit with phishing scams.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Or Katz: So basically this campaign is saying the following thing - and it's not that unique in that sense - saying, hey, there is some free-of-charge gift or prize or coupon, something in that nature. It's very compelling. It's very engaging in many ways. And it leads for victims to, you know, press on that relevant link, go through a website and from there, you know, be more engaged with the scamming and as a result, lose some of their personal information. 

Dave Bittner: That's Or Katz. He's a security executive for thought leadership and research at Akamai. The research we're discussing today is titled "Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment." 

Dave Bittner: And it is good-looking. I mean, they've taken the effort here to really make it look like the brands that they're impersonating. 

Or Katz: Yes, definitely. And they're doing really good job, right? We don't want to admit that. But in a sense, they're doing good job for them to create something that's very trustworthy, looks very appealing, looks, like, legit, and as a result of that, create much more engagement from potential victims, which is something that, you know, we need to address, right? That's something that keep me awake at night - right? - being able to track those things and making sure that, you know, we know how to mitigate those kinds of scams. 

Dave Bittner: And, I mean, this is using some of the standard social-engineering schemes that we track here. I mean, there is sort of a call to action with some urgency. They even have some fake user forums. 

Or Katz: And that's the story behind the scenes, which is - right? - it's not just one campaign being activated. There's a bunch of those campaigns being activated at the same time, and they are using the same phishing toolkit in that sense, like, it's - toolkits would be the software being used by adversaries to launch those kind of campaigns. And what they're doing is that they are creating those, as you mentioned, fake users that looks as if they're, like, social-networks kind of users that are trying to say, hey, this campaign really - like, this kind of offer really works. It's not a scam. I got some free, you know, gift and etc. And they are doing that, and they're using the same fake users for different kind of campaigns, different kind of merchandise being offered to the victims. And that's part of the - you know, the scale of that kind of campaign. 

Dave Bittner: Well, let's go through some of the technical things that they're doing here as well. They're taking advantage of some URL shorteners? 

Or Katz: Yes. So overall, they're using a variety of techniques. The first one, as you mentioned - it's URL shorteners. And in a sense, they're creating, like, a nest of, you know, links that at the end of the day leads to the landing page, the actual phishing website. They're using that as part of their techniques and their ways to try to evade detection - using nested, kind of, links to lead to different or same scam, create a kind of agility, from their point of view, to be able to change one of those links and still being resilient to detection in that sense. 

Dave Bittner: Yeah. I mean, looking through the research here, I mean, it really reads like a - it's practically a textbook example of some of the techniques that we see here. I mean, they're using legitimate web services like AWS or Google Cloud. 

Or Katz: Exactly. It's - and I'm being asked about that a lot, right? I'm being asked, how come phishing is still working, right? And I'm struggling - sometimes I'm struggling to answer that, right? How come people are still falling into those scams or being victimized by those scams? And there's two aspects for that. First of all, it's the social engineering part of that, how you can, you know, engage people into those scams. And we talked about that. But the second part, as you mentioned - it's a variety of techniques being used to make sure that those scams work. And URL shorteners and being able to create, you know, those kinds of links that no one knows how to detect - that's part of the magic that they are creating in order to, you know, make sure their scams still work. 

Dave Bittner: There's a technical element here that you all highlight, and this is the usage of URI fragment identifier redirection. Can you unpack that for us? What are they doing here? 

Or Katz: That's like - it's the first time that I was able to see that kind of techniques being used, and we haven't seen no one report on that techniques in the wild. So we consider that as a novel kind of technique. And the interesting part here, and that's - like, before we go into the details, the issue is that adversaries are creating links that make sure that only those that press on the original link being sent to your email will be landing on the phishing scam. And in other words, if you will take the original link without some extra account information - the what we call URI fragmentation - of that kind of link and you will try to use that, you will not get into the landing page. If you will take that and use that from, like, something that is not a browser, like a script or something like that that scans a variety of URLs, you will not get to the landing page. And in that sense, it's one of those - you know, again, a variety of techniques being used to make sure that those scams will work and will postpone detection of that scam by creating all kind of barriers for us from defensive point of view. And that kind of link create that. Basically it's - in a way, it's that kind of techniques being used, making sure that only once we use our browser and using that original link that was sent to us, only then we will get to the landing page for the scam. 

Dave Bittner: So help me understand here. Does that mean that, for example, if - I don't know - if this link was loaded in some kind of security package that pre-detonates links like this, that may not work for - it might not take them to the landing page, where it would for me if I clicked on it in my browser? 

Or Katz: Exactly that. Like, in a sense, if you would try to reach out that link without using a browser or browser engine - right? - you can do that, like, automatically in a - sort of a simulation of a browser. If you will not do that, if you access that link, it will not work because that link is actually using some functionality of JavaScript on our browser to create a follow-up link, a link that - being generated by the browser, by the JavaScript running on our browser to redirect us to the next stage of that scam. And if you are not running a browser or browser engine, you will not be able to create that link, and as a result of that, you will not get to the phishing scam. And in a sense, that what motivated adversaries in a way, they are trying to make sure that those that are not legitimate victims - I said right there, legitimate victims - it's a bit... 

Dave Bittner: (Laughter) That's an interesting turn of phrase, isn't it? 

Or Katz: Exactly. 


Or Katz: ...Will not get to the scam, right? I mean, I'm trying to create analogy for that from our - like, from Akamai point of view on things that we're doing to protect our customers when we are making sure that, you know, non - like, users that are not humans, meaning bots, are not being - like, will not reach our websites because we want to block that kind of traffic. Those kinds of adversary are using similar techniques in a sense, but on the other way around. They're making sure that only victims will reach out their scam and not something that is trying to scan some URLs and try to figure out if that's a scam or not. 

Dave Bittner: You point out the use of randomly generated URLs, that they're really working hard to limit the access to the kit. 

Or Katz: Yeah - so again, variety of techniques. One of the techniques that we're able to see is a technique that makes sure that only the person that was following the link - the original link - will have access to the scam website. It's a dynamic kind of generation of that link that can change between different original links being sent to end users - to the victims - and they make sure that once you take a given link - given to you, for example - and I will try to use that link from my browser, I will not get to that landing page. I need to follow the original link that was delivered for me on my email to be able to get to that scam. If you will give me the final link, the final URL that is exposed to you once you access the website and I will try to use it, it will not work. And again, think about it from an adversary point of view. They are trying to delay time for detection. They're trying to make sure that if you see something suspicious and you send it over for me to examine that, I will try to use that link, and it will not work. And I would say, hey, nothing works here. You know, I'm not good at getting into the scam. And as a result of that, detection times take longer because we need to do more investigation and more - you know, better understanding what really happened to you. 

Dave Bittner: Who do you suppose they're targeting here? Is there any specificity there in terms of who they're - it seems like they're going after? 

Or Katz: So the campaign that we tracked was mainly focused on North American victims. We noticed that there are some other campaigns that are targeting different geolocated kind of victims. But in our case, it was mostly North America, and the brands being abused in that sense were aligned with that. But basically, it's a consumer kind of campaign, a very basic one, trying to, you know, get to as many people as possible, lead them to the scam and at the end of the day try to get their credit card information. 

Dave Bittner: Do you have any sense for the availability of this kit, where people are purchasing it and, you know, the degree to which the bad guys are using it out there? 

Or Katz: That's a really great question. So the short answer is no. I don't have much visibility into the kit itself, how it's being sold and what's the market behind that. But I will say that we know that that kit and version - previous version, a very similar, if not the same kit - are being used over and over again for quite some time. And I think that in a sense help us to understand some of the scale and some of the motivation behind the scenes, meaning that this is someone that is - that's his work. His work is to create those phishing toolkits to take them each time to the next level, make them much more sophisticated for many reasons - right? - to not be detected. That's his motivation for sophistication of the toolkit or creating more engagement in that sense. And they're doing that for quite some time. They're doing that in high scale. We see a lot of those, and we know it's some sort of a business for them. And that's unfortunately, you know, what we are seeing out there. 

Dave Bittner: Well, based on the information you've gathered here, then, what are your recommendations for folks to best protect themselves against this? 

Or Katz: I think that at the end of the day, there is a recommendation for, you know, our colleagues, our friends, our neighbors, you know, people that we care about, and tell them, hey, if it's too good to be true, it probably is. Make sure that you are not falling into those scams. If someone offers you a gift, a very nice gift, and it doesn't cost anything but for you to provide your credit card number for a very, you know, limited amount of money for delivery, for example, for shipment, you know, think about it. It might be wrong. Right? Don't do that. And that's for, you know, looking at the victim from, you know, that point of view. For organizations, I would say it's all about layers. It's all about our ability to create a multilayered approach that will make sure that we reduce those kind of but reduce the potential of having victims from our organization to the minimum. It's not 100% bulletproof, right? But it's all about the risk and what we are doing to reduce that risk. 

Dave Bittner: Our thanks to Or Katz from Akamai for joining us. The research is titled "Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment." We'll have a link in the show notes. 

Rick Howard: Hey, everybody. Rick here, the N2K CSO and the chief analyst and senior fellow here at the CyberWire. This upcoming Thursday at 2 p.m. Eastern, join me and our VP and senior editor John Petrik as we review topics and events that have made the most significant impact in 2022. Normally, this quarterly show is a CyberWire Pro exclusive, but because of the holidays, we're letting all CyberWire readers and listeners in. You're welcome. Register today by visiting That's thecyberwire - all one word - .com/analystcall - all one word. And happy holidays to everybody. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoshide (ph), Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.