Colorado-Based Sengrid Email Marketing Company Accounts Were Hacked
The accounts are now used in phishing attacks for the purpose of stealing login data.
“Contact”, the threat actor behind this operation has been present since 2020 and it’s believed to have collected over 400.000 credentials through phishing methods.
The latest attack
The most recent campaign targeted the users of Outlook Web Access and Office 365 services and it seems to have collected thousands of credentials relying on trusted domains such as SendGrid.
It appears the attackers used Zoom invites as a lure together with an extensive list of email addresses, in this way “Contact” was able to deliver messages from hacked accounts on the SendGrid cloud-based platform.
SendGrid is known as a trusted SMTP provider, so the messages sent in this manner had a greater chance to reach their destination and pass through the email protection technology.
The attackers collected over 400.000 credentials
Researchers at WMC Global, and creators of PhishFeed real-time phishing intelligence service, capitalized on some mistakes of the threat actor that allowed them to analyze how the credentials moved from the phishing site into the hands of the operator.
They estimated that each phishing attack collected 3700 unique credentials, which would mean that “Compact” may have collected more than 400.000 credentials at this time.
Previous operations were using SendGrid accounts in order to send the phishing email, just to move afterward to MailGun.
The researchers say the phishing website of Compact’s campaign had a distinct fingerprint in the code that allowed them to monitor and detect the attacks on a new site as soon as it became live.
In December 2020 they’ve found a landing page impersonating Outlook Web App and in January 2021 another one that pretended to be the entry point for Office 365 login.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
The researchers looked carefully at the website’s source code and were able to pull exfiltration locations and credential logs in text files.
How were the attackers operating?
The attackers were wiping and removing the credential file logs to prevent other threat actors or security teams to unfold and the phishing attack, it was noted as well that the lots of victims were from large and notable companies.
Analyzing a small number of logs submitted credentials revealed a concerning pattern. This was happening in mid-January, this year. It was only natural to suspect a potential credential poisoning operation was underway.
The most likely purpose was to dilute the legitimate credentials harvested by the threat actors. Some cybersecurity companies use credential poisoning to hide legitimate credentials in pools of fake logins, causing the threat actor difficulty detecting the authentic logins. Some threat actors may also poison the results of their competitors. Many threat actors are cognizant of credential poisoning operations and frequently validate credentials automatically upon ingestion flagging inauthentic credentials.
“Some cybersecurity companies use credential poisoning to hide legitimate credentials in pools of fake logins, causing the threat actor difficulty detecting the authentic logins. Some threat actors may also poison the results of their competitors” – WMC Global
The discoveries made helped the team better understand what motives the threat actor group has. It seems that they have been in the cybercrime space for some time and are re-using effective TTPs, having gone undetected and under-investigated previously.