Group-IB uncovers sophisticated phishing campaign that targets executives worldwide
Skip to main content
  • Home
  • Economy
    • Aviation
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
    • Book Review
    • Brands
    • Earth
    • Explorer
    • Fact Check
    • Family
    • Food
    • Game Reviews
    • Good Practices
    • Habitat
    • Humour
    • In Focus
    • Luxury
    • Mode
    • Panorama
    • Pursuit
    • Wealth
    • Wellbeing
    • Wheels
  • Epaper
  • More
    • Subscribe
    • Videos
    • Thoughts
    • Splash
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • COVID-19
    • Games
    • Long Read
    • Interviews
    • Offbeat
    • Podcast
    • Quiz
    • Tech
    • Trial By Trivia
    • Magazine
  • বাংলা
The Business Standard

Thursday
February 09, 2023

Sign In
Subscribe
  • Home
  • Economy
    • Aviation
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
    • Book Review
    • Brands
    • Earth
    • Explorer
    • Fact Check
    • Family
    • Food
    • Game Reviews
    • Good Practices
    • Habitat
    • Humour
    • In Focus
    • Luxury
    • Mode
    • Panorama
    • Pursuit
    • Wealth
    • Wellbeing
    • Wheels
  • Epaper
  • More
    • Subscribe
    • Videos
    • Thoughts
    • Splash
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • COVID-19
    • Games
    • Long Read
    • Interviews
    • Offbeat
    • Podcast
    • Quiz
    • Tech
    • Trial By Trivia
    • Magazine
  • বাংলা
THURSDAY, FEBRUARY 09, 2023
Group-IB uncovers sophisticated phishing campaign that targets executives worldwide

Tech

TBS Report
01 May, 2020, 09:20 pm
Last modified: 01 May, 2020, 09:23 pm

Related News

  • ‘Bangladesh at risk of cyber attacks for lack of awareness and expertise’
  • Russian hackers targeted US nuclear scientists
  • Singapore's economy topped forecasts in 2022 but new risks growing
  • Singapore sentences stock market manipulator to 36 years in jail
  • India says Data retrieved after Delhi AIIMS cyber attack originated in China

Group-IB uncovers sophisticated phishing campaign that targets executives worldwide

Сybercriminals behind the PerSwaysion campaign gained access to many confidential corporate MS Office365 emails of mainly financial service companies, law firms, and real estate groups

TBS Report
01 May, 2020, 09:20 pm
Last modified: 01 May, 2020, 09:23 pm

Photo: Kacper Pempel via Reuters
Photo: Kacper Pempel via Reuters

Singapore-based cybersecurity company Group-IB has identified a series of sophisticated successful phishing attacks against the management and executives of more than 150 companies around the world. 

The campaign, dubbed PerSwaysion due to the extensive abuse of Microsoft Sway, has been active since at least mid-2019 and was attributed to Vietnamese speaking developers and Nigerian operators. 

Microsoft Sway is a presentation program and is part of the Microsoft Office family of products.

Сybercriminals behind the PerSwaysion campaign gained access to many confidential corporate MS Office365 emails of mainly financial service companies, law firms, and real estate groups. 

The PerSwaysion campaign proliferates with alarming rates by leveraging compromised accounts' email data to select further targets who hold important roles in their companies and share business relations with the victims. 

Group-IB in continuing to work with the relevant parties in local countries to inform the affected companies of the breach. 

Not brute force but only PerSwaysion

PerSwaysion is a highly-targeted phishing campaign. One of the defining signatures of PerSwaysion is that it spreads like wildfire jumping from one victim to another while no malware is present on a user device during the attack. New round of phishing attempts leveraging current victim's account usually takes less than 24 hours. 

The campaign resulted in a compromise of 156 high-ranking officers in global and regional financial hubs such as the US, Canada, Germany, the UK, Netherlands, Hong Kong, Singapore, and other locations. 

The PerSwaysion campaign primarily focuses on financial services companies (more than 50%), law firms, and real estate companies to conduct a further supply-chain attack against their clients and business contacts. 

Group-IB has already set up a website where everyone can check if their email was compromised by PerSwaysion.

Group-IB's Digital Forensics and Incident Response (DFIR) team were brought in to examine an incident in an Asia-based company which allowed to establish that PerSwaysion is a sophisticated 3-phase phishing operation that uses special tactics and techniques to avoid detection. 

The threat actors leverage perfectly orchestrated social engineering technique by "persuading" people holding significant corporate positions to open a non-malicious PDF email attachment coming from an authentic address in their contacts.  

The PDF attachment is a well-crafted notification of Office 365 file sharing to the victim mimicking legitimate format. Upon clicking "Read Now", the victim, which in most cases is a high-ranking officer, is taken to a file hosted on MS Sway. 

The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection. 

The page resembles an authentic Microsoft Office 365 file-sharing page. However, this is a specially crafted presentation page that abuses Sway default borderless view. 

From this page, the targeted individual is redirected to the final destination, the actual phishing site disguised as a 2017 version of the Microsoft Single Sign-On page. 

Here, the victim is assigned a unique serial number by the phishing kit, which serves as a rudimentary fingerprinting technique. Any repeated request to the exact same URL will be rejected. It stops any automated threat detection efforts to URLs visited by the targets. 

When the high-level employee submits corporate Office 365 credentials, the information is sent to a separate data server with an extra email address that is hidden on the page. This extra email is used as a real-time notification method to make sure attackers react on freshly harvested credentials. 

Gone in 24 Hours

PerSwaysion threat actors conduct follow-up operations with newly collected account credentials of high-ranking officers very fast. 

Group-IB researchers revealed that the attackers take 3 main steps to push a new round of phishing against users whom the victims had recent correspondence with, which on average takes less than 24 hours. 

After the credentials are sent to their CnCs, the PerSwaysion operators log into the compromised email accounts. They dump email data via API and establish the owner's high-level business connections. 

Finally, they generate new phishing PDF files with the current victim's full name, email address, company legal name. These PDF files are sent to a selection of new people who tend to be outside of the victim's organization and hold significant positions. 

The PerSwaysion operators typically delete impersonating emails from the outbox to avoid suspicion. The detailed technical analysis of PerSwaysion operations and attack scheme is available in Group-IB's blog post.

"PerSwaysion threat actors have not demonstrated clear preferences of financial profit-generating models yet," Feixiang He, senior Threat Intelligence analyst at Group-IB said. 

"The attackers hold covert access to many corporate email accounts and large piles of sensitive business email data of high-level management. Hence, it opens up a wide range of possibilities," he added. 

Feixiang further said that the account access could be sold in bulk to other cybercriminals to conduct traditional monetary scams. Sensitive business data extracted from emails, such as non-public financial records, secret trading strategies, and client lists, could be sold to the highest bidder in the underground markets.

Who are "The PerSwayders"? 

PerSwaysion campaign is a series of Malware-as-a-Service-based operations. The analysis of the campaign's phishing kit revealed that the highly specialized Vietnamese-speaking threat actors primarily developed it. 

The user input validation module (VeeValidate) used in code only includes Vietnamese locale, while 48 languages are supported. 

Further research determined that the developer groups do not run phishing campaigns themselves. Instead, the developers likely sold their phishing kit and PDF generator to various cybercriminals for direct profit. 

Group-IB Threat Intelligence has tracked down several loosely connected sub-groups of threat actors carrying out phishing attacks independently. They control the total of 27 email addresses used for stolen email account credentials collection and notifications. 

The emails were embedded in variants of PerSwaysion phishing kits. Some of these emails were used to register LinkedIn accounts for gathering potential victim profiles. Such data helps PerSwaysion attackers to pick people holding significant corporate positions.

Further investigations show one of the PerSwaysion's earliest operation teams are a group of threat actors who operate in Nigeria and South Africa. 

The group is allegedly led by a Nigerian who goes by the nickname Sam. This group has been conducting various activities ranging from online shopping scams to phishing attacks since 2017. 

The vast differences in geo-locations and cultures between phishing kit developers and campaign operators indicate great specialization among cybercriminals.

"PerSwaysion campaign is a living example of highly specialized phishing threat actors working together to conduct effective attacks on high ranking officers in large scale," according to Feixiang He. 

"They adopt multiple tactics and techniques to avoid traffic detection and automated threat intelligence gatherings, such as the use of file-sharing services and web application hosting from reputable vendors," he added. 

"The campaign pursues non-trivial counterintelligence methods, for example, randomizing malicious JS file names and fingerprinting victim browsers and rejecting repeated visits," he further said. 

Feixiang He thinks that such measures taken by cybercriminals seeking to garner sensitive corporate information require a non-standard approach to their detection and response.

Cloud-based corporate services, such as MS Sway, introduce new challenges to traditional cyber risk management frameworks. Proper cloud migration plan should consider changes in early prevention, anomaly detection, and incident response. 

When adopting cloud-based corporate services, it is crucial to enforce 2FA authentication to mitigate risks of login credential theft. 

Furthermore, when planning cloud-based service architectures, corporate system administrators need to evaluate various logging options offered by could service providers and integrate activity log data into existing risk detection flows.

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations.

Top News / World+Biz

Phishing / Group-IB / Singapore / Microsoft Sway / PerSwaysion / Cyber attack

Comments

While most comments will be posted if they are on-topic and not abusive, moderation decisions are subjective. Published comments are readers’ own views and The Business Standard does not endorse any of the readers’ comments.

Top Stories

  • Photo: PID
    Rail connectivity will ease Dhaka's traffic jam, says PM
  • 5.2 magnitude earthquake hits Indonesia, 4 killed
    5.2 magnitude earthquake hits Indonesia, 4 killed
  • Bangladesh to publish quarterly GDP data before IMF deadline
    Bangladesh to publish quarterly GDP data before IMF deadline

MOST VIEWED

  • YouTube says homepage back up after brief outage
    YouTube says homepage back up after brief outage
  • FILE PHOTO: People holding mobile phones are silhouetted against a backdrop projected with the Twitter logo in this illustration picture taken September 27, 2013. REUTERS/Kacper Pempel/Illustration/File Photo
    'Over daily limit': Twitter users say they are unable to post amid outage
  • A man walks past the Alibaba Group office building in Beijing, China August 9, 2021. REUTERS/Tingshu Wang
    China's Alibaba joins global chatbot race
  • The logo for Google LLC is seen at the Google Store Chelsea in Manhattan, New York City, US, November 17, 2021. REUTERS/Andrew Kelly
    Alphabet shares dive after Google AI chatbot Bard flubs answer in ad
  • Twitter logo. REUTERS
    Twitter restricted in Turkey two days after quake, says NetBlocks
  • General view of Microsoft Corporation headquarters at Issy-les-Moulineaux, near Paris, France, April 18, 2016. REUTERS/Charles Platiau
    Microsoft hopes AI can save Bing from Google search hegemony

Related News

  • ‘Bangladesh at risk of cyber attacks for lack of awareness and expertise’
  • Russian hackers targeted US nuclear scientists
  • Singapore's economy topped forecasts in 2022 but new risks growing
  • Singapore sentences stock market manipulator to 36 years in jail
  • India says Data retrieved after Delhi AIIMS cyber attack originated in China

Features

Google’s investment bodes well for Ireland’s economy.Photographer: Hollie Adams/Bloomberg

Layoffs alone won’t solve tech's problems

2h | Panorama
Mirsarai Autism Centre has been established to facilitate 7,000 disabled, autistic children at a distant village of Mirsarai upazila. Photo Minhaj Uddin

Children are everyone's business

6h | Panorama
Caption1: One of Shaker Ibne Amin’s earliest and most favourite builds which he calls the ‘Soul’. Photo: Saikat Roy

3Monkey: Making the dream custom bike for every rider

6h | Wheels
Chinese automobile manufacturers dominate the 2023 Dhaka Motor Fest

Chinese automobile manufacturers dominate the 2023 Dhaka Motor Fest

5h | Wheels

More Videos from TBS

Ekushey book fair to see fewer releases this year

Ekushey book fair to see fewer releases this year

3h | TBS Stories
Sirajdikhan's delicious Patkhir is also in demand abroad

Sirajdikhan's delicious Patkhir is also in demand abroad

4h | TBS Stories
LeBron James NBA's all-time highest scorer

LeBron James NBA's all-time highest scorer

4h | TBS SPORTS
Turkaslan's fate is the contrast of Atsu's

Turkaslan's fate is the contrast of Atsu's

4h | TBS SPORTS

Most Read

1
Photo: Courtesy
Panorama

From 'Made in Bangladesh' to 'Designed in Bangladesh'

2
Master plan for futuristic Chattogram city in the making
Districts

Master plan for futuristic Chattogram city in the making

3
Photo: Collected
Crime

Prime Distribution MD Mamun arrested in fraud case

4
Maqsuda Begum made new executive director of Bangladesh Bank
Banking

Maqsuda Begum made new executive director of Bangladesh Bank

5
Photo: Rajib Dhar/TBS
Bangladesh

HSC results to be published Wednesday

6
30% companies see double-digit growth even in hard times
Economy

30% companies see double-digit growth even in hard times

EMAIL US
[email protected]
FOLLOW US
WHATSAPP
+880 1847416158
The Business Standard
  • About Us
  • Contact us
  • Sitemap
  • Privacy Policy
  • Comment Policy
Copyright © 2023
The Business Standard All rights reserved
Technical Partner: RSI Lab

Contact Us

The Business Standard

Main Office -4/A, Eskaton Garden, Dhaka- 1000

Phone: +8801847 416158 - 59

Send Opinion articles to - [email protected]

For advertisement- [email protected]