An extremely sophisticated and multistage phishing campaign dubbed Heatstroke was recently identified by researchers at Trend Micro. This new phishing campaign employs advanced techniques when compared to its counterparts. Heatstroke hides malicious URL’s inside legitimate web addresses and also uses very diverse social engineering techniques. The attacker behind Heatstroke appears to be targeting PayPal and credit card information. The designers behind Heatstroke have been found to do a considerable amount of research into selecting their victims. The aim is to attack a person’s private email address, usually collected from a previous breach’s victim list. They also appear to be targeting managers and employees of the technology industry. If an attacker is able to perform a successful attack, they have been found attempting to access the victim’s Google drive and further hack any android device that’s connected to that account. Heatstroke uses a multistage approach which is contrary to the normal phishing attacks that use a single landing page. Typically, the infection chain begins with the phishing email. If the victim clicks the link in the email, it takes them to the first-stage website and then redirects them to the second stage site that asks for account verification. Lastly, it takes the victim to a third stage site that shows a successful login and then asks for payment verification. Once that is complete, the attacker owns the payment information of the victim. It has also been found that the developers of Heatstroke are adopting the Phishing-as-a-Service business model to further monetize their program by selling it to other hackers.
Analyst Notes
With this being a new campaign, it reinforces the need for employers, employees and home users to provide or seek further education on how to recognize phishing campaigns and defend themselves from them.
