With cybersecurity defenses improving, threat actors are turning to socially engineered attacks to exploit human vulnerabilities with phishing. A phishing technique gaining popularity is the use of a “Replica Sign-in Page” for federated account logins. This tactic works by playing into the human brain’s characteristic (which gives priority to known visuals; meaning that the mind sees what it thinks it has seen or expects to see) to lure victims into trusting the fake sign-in pages and offering up their login credentials.

Replica pages often leverage popular global brands such as Google, Microsoft, Dropbox, and Yahoo for credential stealing attacks. Some come complete with functional “Password Reset” options, and some ask for secondary email accounts, mobile phone numbers, or security questions for “enhanced security”.

Recently, we have been observing a new twist in the old tactics. SlashNext has been detecting more and more multi-brand phishing pages. Attackers create a fake web page that includes multiple brands simultaneously. In the instance below, the attacker provides a custom “Dropbox” phishing page that allows the user to gain access with the federated/trusted email login source of their choice.

Clicking on any of the above icons pops up a new browser window that prompts the user to enter his or her credentials.

The following are pop-up windows for each of the masqueraded federated login sources:

Regardless of the selection, once the user enters his or her credentials in any of the above, the form will submit the stolen information through a php script of the same name as popup htm:
AA1.php, LL1.php, OF.php, OT.php, YY1.php, gg1.php, gg2.php All hosted on the same server.

In each php, the attacker has written a code to send the collected information to this email address: checksandbalances77@gmail.com

The subject line of the email begins with “Blessings” from sender name “Trump”.

In the Gmail case, the attacker continues on and grabs the victim’s Gmail recovery telephone and email address. Once the“Next”button is pressed, and the credentials have been sent to above mentioned email address, the victim is redirected to page: GG2.html

In all other cases, victim is redirected to the Google Docs URL:
hxxps://docs[.]google[.]com/file/d/0B6zOv6vjXCc1OVVtTFBNVmpSdXc/edit
While investigating this attack, we found it very intriguing that the attackers did not secure their web server’s directory structure leaving all the phishing content open.

Enterprises have tried to reduce their risk to these sorts of attacks by training their employees on how to identify and avoid these kinds of fake sign-in pop ups and pages. However, despite training, humans make mistakes. And attackers are creating more sophisticated and legitimate looking phishing attacks every day. They’re often very hard to detect. It’s why SlashNext has invested so much in its SEER™ phishing detection technology. SlashNext can detect phishing attacks faster and more accurately than an army of cybersecurity experts, not to mention your average employee encountering this kind of phishing attack.