[This is a guest diary submitted by JB Bowers]
During the COVID-19 pandemic, nearly every kind of company has moved to use more online collaboration tools. This means that many small businesses, universities, primary and secondary schools, and others that may not be well-trained in online safety will be especially vulnerable to this type of attack, especially if they are using a relatively new tool, like Piktochart. I had not used Piktochart before, but this week, security researcher @pageinsec[3] shared with me an infographic that asks the user to click on a link, in order to read a shared pdf document [4]. Piktochart has about 2,000 registered users, and about 24 million Piktocharts Created and is used by companies such as Forbes, TechCrunch, and others, according to their website. With a legitimate business purpose that is endorsed by some large companies, it is likely this is an effective way for the attackers to evade DNS filtering or other simple defenses against credential-stealing attacks. Piktochart has a feature that makes it even better for phishing: Their registered "Pro users" can download an actual .pdf file, with the malicious link intact, or as well render the file into several different sizes of .png images, as indicated in the IOCs near the bottom of this page, which might be useful to hunt for similar activity. An unsuspecting victim would receive an e-mail or social media post including the malicious Piktochart, from someone they knew, whose account had already been compromised. If they click the link, a 2nd stage credential stealer follows, which is a pretty decent-looking (but fake) Microsoft login page hosted at the domain obggladdenlightfoundation(.)org. This base domain currently has "0 out of 87" vendors reporting it as malicious on Virus Total, and is made out to be a non-profit in Lagos, Nigeria. This specific example had a different site registration than most of the other, identical sites I've researched, so it is possible this site was the result of a takeover of a legitimate business' WordPress website, or a redirection of the site's DNS.
pwan-heritage(.)com/pol/OfficeV4/*
URLS/Domains 2nd stage/stealer IP Domain registrar: 007NAMES INC. Microssoft cred stealer image - hashes(sha2) DOM (cred-stealer page) Post request Cookies
References: I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4473 Posts ISC Handler Mar 11th 2021 |
Thread locked Subscribe |
Mar 11th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!