Russian phishing campaign

Browser-Based Threat Alert: Russian Campaign

/in /by

Likely-Russian APT actors threaten Western governments

The Threat & Detection Research Team at Sekoia.io recently reported on a suspected Russian intrusion set that utilizes phishing campaigns to steal credentials of military and strategic research targets in mainly Western countries.

One of the most interesting characteristics of this attack was the method the attackers used to bypass traditional email-based anti-phishing tools. Instead of including the malicious link directly in the email, which likely would have been caught by most phishing protection solutions, the attackers attached a benign PDF file that included the malicious link inside. By not including any malicious code within the PDF itself, the attack further evades any endpoint protection that relies on file scanning.

This attacker also uses a devious social engineering trick – The PDF is meant to mimic an error message within the PDF rendering engine and provides a link to “open the file” elsewhere. That link leads to a web page that tries to collect the victim’s credentials using a tool called EvilGinx, which conducts a man-in-the-middle attack that can steal user credentials and session cookies from the user as they access legitimate login pages.

How can Conceal’s Internet browsing security solution protect you from similar attacks?

Because ConcealBrowse resides in the web browser, it doesn’t matter where users click on malicious links. Whether the link is directly in an email, in a social media post from another app or the browser itself, or even within a PDF like in this example, ConcealBrowse scans every URL and takes appropriate action based on its associated risk. 

In this case, the links would be opened on a throwaway virtual machine in the cloud utilizing our state-of-the-art remote browser isolation engine for further analysis. Once the threat is identified as a phishing attack, ConcealBrowse’s anti-phishing technology takes the additional step of preventing users from providing credentials or other sensitive information.

Furthermore, because the site with the EvilGinx malware was opened in an isolated browser off the user’s machine, its capabilities to intercept session cookies would be rendered useless.

ConcealBrowse provides multiple levels of security, and provides protection even in cases where users’ trust is abused to cause them to take high-risk actions. Constantly working in the background, ConcealBrowse is transparent to end users, and protects them from attackers and from themselves without getting in the way of their work.

If you’d like to learn more about how your organization can easily incorporate this zero-trust web browsing, click here to set up a demo today.