Thursday, March 31, 2022
In the constant search for novel hacks, cybercriminals have been cycling their way through a multitude of free sites, both to send phishing emails and to host malware injection mechanisms. In a recent attack, black hats tried to lure victims to Calendly, a free calendar app, where they had crafted a clever sequence that led to a credential-harvesting payload.
Although it might seem strange to go to all that trouble just to gain some login information, harvested credentials are highly prized for lateral attacks, launched from legitimate accounts that the bad guys have taken over, targeting more valuable employees within the same company. The initial phish in these cases was sent from just such accounts.
Quick Take: Attack Flow Overview
- Type: phishing
- Vector: phishing emails from hijacked accounts
- Payload: credential harvesting launched from abused calendly.com event pages
- Techniques: account takeover, brand impersonation, credential harvesting
- Platform: Google Workspace and Microsoft 365
- Target: Google Workspace and Microsoft 365 users
The Attack
Toward the end of February, INKY detected a credential harvesting operation that abused Calendly, a freemium calendaring hub, by inserting malicious links on calendly.com event invitations. Calendly allows users to create free accounts without entering credit card information, a structure that black hats appreciate.
Calendly makes scheduling easy, maybe a little too easy
The attack began with phishing emails sent from hijacked accounts. It appears that the bad guys cast a fairly wide net, as 64 INKY customers found emails in their inboxes referring to “new documents received.”
A sample email purporting to inform the recipient of a fax waiting to be viewed
If the recipient clicked on the blue VIEW DOCUMENTS button, they were taken to an event invitation on calendly.com.
An alert victim might have noticed how odd it is to view a fax from a calendar
A bit of sleuthing by our data analysts turned up the fact that Calendly’s invite pages are customizable. In this example, phishers created a fake fax document notification with fax attributes (number of pages, file size). They used the Add Custom Link feature to insert a malicious link on the event page.
If the victim had not been tipped off by the strangeness of the situation, they might have clicked on the PREVIEW DOCUMENT link and been taken to a credential-harvesting page that impersonated Microsoft. Hovering over the link (indicated by the red arrow above) would have shown that it led to https://dasigndesigns[.]com/ss/updation/index.html, a hijacked site that is listed in Google, Firefox, and Netcraft threat feeds.
A standard-looking Microsoft login dialog box
As part of our investigation, an INKY engineer entered a fake username (b@inky.com) and password to test the phishing site and got a fake invalid-password error. Behind the scenes, the black hats harvested the fake credentials.
A rejected login created a cover for credential harvesting
A second attempt to log in led to a second harvesting event, whereupon the victim was redirected to their own (supposed) domain, in this case, inky.com.
This pattern of two login attempts followed by a “blow-off” to a benign webpage is fairly standard in the phishing world. Either the phishers are hoping the victim will try two different accounts or they just want to make sure the credentials they have are correct. It’s also possible that they are trying to adhere to a normal login protocol that lets users make a couple of attempts before locking them out. In any case, setting them down gently on their own domain for the blow-off is a clever touch.
The real INKY site
We tested the phishing site several times with different username domains, and, in every case, the site redirected to the username domain. An examination of the HTML source code revealed how JavaScript was used to make this dynamic redirection work.
HTML source code for the dynamic redirect
The username domain was stored as a variable (my_slice) and used in the method “window.location.replace()” to construct a new URL (in the example case, http://www.inky.com). After two login attempts, the “replace” method replaced the existing malicious URL with the new, safe one. As an extra benefit to the black hats, when they used the replace() method, the phishing site was not saved in the browser’s session history. So, the user would not be able to use the back button to navigate back to the phishing site.
Recap of Techniques
- Brand impersonation — uses brand logos and trademarks to impersonate well-known brands.
- Credential harvesting — occurs when a victim thinks they are logging in to one of their resource sites but are really entering credentials into a dialog box owned by the attackers.
- Compromised email accounts —are used by phishers to pass most security software tests, allowing phishing emails to slip past corporate defenses and into hapless recipients’ inboxes.
- Dynamic redirection — uses elements of the victim’s email address, particularly the domain, to guide the attack flow.
Best Practices: Guidance and Recommendations
Recipients should always examine the sender’s email address and display the name carefully. In this case, the email claimed to be from Microsoft, but it came from a non-Microsoft domain.
Recipients should also be suspicious of an unusually long display name. As the first line of defense, recipients can hover over a link to see its destination. While calendly.com is a safe link, it doesn’t make sense to view a Microsoft SharePoint notification there.
One way to stay protected against credential harvesting attacks is to use a password manager, an encrypted database that stores, generates, and manages passwords for websites. They are available as browser extensions and have an automated script that compares the current site’s URL to the URL stored in the database. If the two don’t match, then the manager will not automatically enter credentials. Password managers also have a confirmation icon flag visible on the browser toolbar when visiting known sites.
Ready to see INKY in action? Request a free trial or a demo today.
After publication, we received a note from Calendly stating the following:
“Security is a top priority at Calendly. Similar to other major technology providers, we have an extensive network of tools and systems in place, such as a next-generation web application firewall, fraudulent IP tracking, and anomalous traffic pattern alerts. We also recommend that customers add an additional layer of protection with a password manager and two-factor authentication.
In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”
* * * *
About INKY
INKY is an award-winning, cloud-based email security solution developed to proactively eliminate phishing emails and malware while simultaneously providing real-time assistance to employees handling suspicious emails so they can make safer decisions. INKY’s patented technology incorporates sophisticated computer vision, machine learning models, social profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links, detect and block security threats, mitigate sender impersonation, and more. Cost-effective and powerful, the INKY platform was developed for mobile-first IT organizations and works seamlessly on any device, operating system, and mail client. Learn more about INKY™ or request an online demonstration today.