In several phishing campaigns since mid-2022, a previously unknown phishing-as-a-service (PaaS) offering named "Greatness" has been used as a backend component for various spam campaigns. In addition to MFA bypass, IP filtering, and integration with Telegram bots, Greatness includes features found in some of the most advanced PaaS offerings. These features include integration with some of the most advanced PaaS offerings.
Phishing attacks are mostly social engineering attacks. Depending on who conducts the attack, they can target a wide range of people. There is a possibility that these emails are spam or scam emails looking to access PayPal accounts.
There is also the possibility of phishing being an attack specifically targeted at a particular individual. Attackers often tailor their emails to speak directly to you and include information only available from an acquaintance. When an attacker gains access to your data, he or she usually obtains this information. Even if the recipient is very cautious in their responses, it is very difficult for them to avoid being a victim when an email of this kind is sent. Based on research conducted by PhishMe Research, over 97% of all fraudulent emails sent to consumers contain ransomware.
As a result of the availability of phishing kits like Greatness, threat actors, rookies, and professionals alike, now can design convincing login pages that comply with the account registration process of various online services while bypassing the two-factor authentication protections offered by the service.
As a result of this, the fake pages that appear to be authentic behave as a proxy for the attacker to harvest credentials entered by victims and time-based one-time passwords (TOTPs).
In addition to the possibility of conducting phishing through text messages, social media, and phone calls, the term 'phishing' is most commonly used in the context of attacks that appear via email. Oftentimes, phishing emails can reach thousands of users directly and disguise themselves among the myriad of benign emails that are received by busy users every day. As a result of attacks, malicious code may be installed on systems (such as ransomware), systems may be sabotaged, and intellectual property may be stolen.
The focus of Greatness is, for now, limited to Microsoft 365 phishing pages, which allows its affiliates to create highly convincing decoy and login pages, using Greatness' attachment and link builder. The attack incorporates features such as pre-filling the victim's email address and showing the victim's appropriate company logo and background image, which were derived from the actual Microsoft 365 login page in which the victim worked or worked for the target organization. The complexity of the software makes Greatness a particularly attractive option for businesses that do phishing.
A geographic analysis of the targets in a number of the various campaigns that are ongoing and have been conducted in the past revealed the majority of victims to be companies based in the U.S., U.K., Australia, South Africa, and Canada, with manufacturing, health care, and technology sectors being the most frequently targeted industries. There are slight differences in the exact distribution of victims between each campaign and each country in terms of the sector and location.
Whenever affiliates deploy and configure the phishing kit provided by Greatness, they can access its more advanced features without technical knowledge. They may even take advantage of the service's more advanced features even if they are unskilled. There are two types of phishing kits. One uses an API to generate phishing claims. The other uses a phishing kit to perform a "man-in-the-middle attack" and generate phishing claims.
In the latest UK government survey titled "Cyber Security Breaches Survey 2021", the UK government reports that phishing remains the "most common attack vector" when it comes to attack attempts involving their systems. Even though phishing is still being used due to its continued success, up to 32% of employees click on a phishing email link while up to 8% of employees are unaware of the sending.
The risk of a data breach or malware infection is greatly increased when an individual clicks on a link in a phishing email and then enters their login credentials to access company resources. There are always going to be several levels of privilege escalation, even when an employee has lower access privileges. Cybercriminals put a lot of effort into making their phishing attack vector as convincing as possible to increase their chances of success.
With the emergence of the Greatness product, Microsoft 365 users are at higher risk of being compromised. Phishing pages can appear more convincing and effective against businesses. Approximately 90% of the affiliates of Greatness target businesses according to the data that Cisco Talos collected. A study of the targeted organizations across several campaign campaigns indicates that manufacturing is the sector given the most attention. This is followed by the healthcare and technology sectors.
The threat was first observed during mid-2022, and according to VirusTotal, a spike in activity was experienced in December 2022 and March 2023. This was a time when attachment samples increased considerably.
As part of the attack chain, malicious emails often contain HTML attachments which are executed on opening. This code often contains obfuscated JavaScript code which redirects the recipient to a landing page with their email address pre-filled and prompts them for a password and two-factor authentication code to access the site.
The credentials entered are forwarded via Telegram to the affiliate's Telegram channel. They will be used to gain unauthorized access to the accounts being accessed.
If a victim opens an attachment that contains an HTML file, the web browser will execute some narrow JavaScript code that will establish a connection to the attacker's server to get the HTML code of the phishing page. In turn, the attacker's server will display the phishing page to the user in the same browser window. An image of a spinning wheel is displayed on the screen in the code, pretending to show that the document is being loaded, with a blurred image.
The PaaS is then responsible for connecting to Microsoft 365 and impersonating the victim to log into the victim's account. As a result, if the service detects that MFA is being used, it will prompt the victim to authenticate by using their chosen MFA method (e.g., SMS code, voice call code, push notification, according to the website).
After a service receives the MFA, the service will continue to impersonate the victim behind the scenes to complete the login process. This will enable it to collect authenticated session cookies associated with the victim. The affiliates will then receive these updates through their Telegram channel or via an email directly from the web panel, depending on which method they choose.
As it works in conjunction with the API, the phishing kit creates a "man-in-the-middle" attack, asking the victim for information, which is then passed to the legitimate login page in real time, and is further logged by the API.
If the victim uses MFA (Master Key Authentication), the PaaS affiliate can steal the user passwords and usernames associated with the account and the authenticated session cookies. This is one of the reasons why the Telegram bot is used - it notifies the attacker as soon as possible about valid cookies so that they can make a quick move if the target looks interesting. This likely is one of the reasons why authenticated sessions typically expire after a while, which is one of the reasons the bot is utilized.
