The figures speak for themselves: to a greater use and increase of technology, a greater number of phishing cases. In fact, in 2021 phishing attacks worldwide increased by 29%reached a record number of 873.9 million, according to a report from the Zscaler cloud platform.
In this sense, Microsoft has unveiled what it is today one of the most ambitious phishing operations that have taken place in recent years. An attack that has been active from September 2021 until now, almost a year. This is the Adversary in the Middle campaign and watch out, because has tried to attack 10,000 companiesaccording to research from the tech giant.
And how has it been carried out? An AitM attack – short for Adversary in the Middle – involves setting up a proxy server located between victims and the websites they want to visit. What these proxy servers do is intercept hypertext transfer protocol (HTTP) packets from users, so cybercriminals do not need to create the typical fake websites posing as real sites, as is the case in traditional phishing campaigns. .
This HTTP packet capture allows attackers to steal passwords, as well as the generated session cookie, when users authenticate to websites. Using the session cookie, attackers can infect the browser and bypass the authentication process in turn. An attack that also works if multifactor authentication is enabled.
How have companies been aware of the attack? They received messages informing them that they had voicemails ready to be listened to. These emails had an HTML attachment disguised as a fake MP3 audio file. Furthermore, cybercriminals were trying to avoid anti-phishing tools to go unnoticed, and that they will not identify malicious URLs.
Once the attackers captured the session passwords and cookies, the job was done: they committed payroll fraud, tricking victims into transferring funds to accounts controlled by them.
Microsoft has been informing companies of this attack, but it issues a warning. AiTM attacks are becoming more frequent. Therefore, to protect yourself, companies must implement security measures of the highest leveland be careful not to download files with false audio in MP3.
It should be remembered that one of the most virulent attacks using this false download occurred in 2007. Reported by the BitDefender company, it included mp3 encoded recordings containing a synthesized voice to promote investments. The attached MP3s were named something like “gloria estefan” or “say your name”, presumably to motivate their opening by users. Once the MP3 was accessed, the damage and fraud was already done.
