Microsoft recently reported on the existence of an unusual phishing campaign designed primarily to harvest the passwords of unsuspecting victims.
One of the things that make the campaign so unusual is the fact that it appears to be built by using bits of code copied and pasted from the work of other hackers. Call it a “FrankenPhishing Campaign” if you will.
Microsoft borrowed from the story of The Island of Doctor Moreau and has dubbed this campaign “TodayZoo”. While it may be crude and cobbled together from the work of other it has been both large and successful enough to gain attention.
The campaign does a surprisingly admirable job of impersonating Microsoft’s own brand. The campaign makes use of a technique called “zero point obfuscation” which makes use of HTML text written in a font size of zero designed to evade human detection.
This tool is a simple and almost crude plan and yet it has proved to be surprisingly successful. Users get an email that appears to be from Microsoft. The body of the email indicates that the user’s Microsoft 365 account has been compromised and the user’s password must be reset.
The email contains a link but of course, the link only points to a dummy version of the password reset page. The moment the user enters his or her login credentials all they’re doing is handing them over to the people who orchestrated the phishing campaign.
Note that most phishing campaigns that work this way collect the login credentials on one site and then forward them to some other. In this case, the people behind the campaign are simply storing the credentials on the site that collects them.
All of this points to a group of enthusiastic amateurs. It’s an audacious campaign and they will undoubtedly learn from it and improve. Odds are excellent that this is not the last we’ve heard from this group.