<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

How a SOC Handles Credential Harvesting

credential harvesting

By Nick Sandin, Security Analyst and contributing author Brandon Doty, SOC Manager

Dealing with credential harvesters has its perks. Day in and day out I get to personally observe how sophisticated a phishing website can be.

Some websites are so elaborate that only a trained analyst can identify them, while others are so obvious no one in their right mind would fall for it. Either way, if it looks suspicious just follow the “POST”.

The “POST” method is one of the many ways the HTTP protocol sends data. The “POST” method is used to submit data to the webserver, which is commonly used to modify a change in state on the server. This is frequently used when logging into your account on another website.

Knowing this, and the using the ingenious “Network” resource in your browser, you can see where you are sending that “POST” request, or more likely, what credential harvester you are giving your username and password to.

Recently, Datashield’s ASOC investigated a credential harvester infrastructure set up by a malicious actor who forgot to use ACLs (Access Control Lists) on their webserver. Because they neglected implementing this important security feature, we were able to navigate backwards through the webserver directories to discover a text file containing a large repository of submitted credentials.

** All data shown below has been sanitized. See the end of the article for a full list of all artifacts that have been changed.

 

Identification Phase

The reported email:

While reviewing the email, it was identified that the sender (chuck.mallory[@]gmail[.]com) tried to convince the recipient (alice.faythe[@]outlook[.]com) that they missed a phone call and a voicemail is ready for them to listen to if they click on an embedded link.

Embedded link: hXXps://sub-domain[.]badguydomain[.]com/page/index[.]html#alice[.]faythe[@]outlook[.]com

The Initial email received:

credential harvester email example datashield

Accessing the phishing site

Once we clicked on the link in our sandbox environment, our browser opened and went to a credential phishing website masquerading as an Outlook login page. Viewing the URL in the browser, we can see that it is not a domain associated with Microsoft. Knowing this, we used Mozilla’s developer tools by clicking the “F12” key and then clicked the Network tab. Instead of using the recipient’s email (which can be seen in the URL), I used an email address that had no association to the recipient’s address and entered in a fake password. After selecting the “sign in” option, the browser then sent multiple GET requests to badguydomain[.]com. However, there was one POST request that was sent to a different domain credential[.]dumping[.]com.

credential harvest phishing datashield

 

Accessing the credential dumping site

With this HTTP request being observed, we decided to go directly to the webpage hXXps://credential[.]dumping[.]com/page/bridge[.]php

credential harvester page

The webpage presented a blank webpage with no information. I then decided to work backwards through the webserver directories to identify what shares are left open for external users to view. Fortunately, the threat actor failed to secure what shares and files the public can access.

 

The list of submitted credentials

After clicking on “express.txt”, I could see all the credentials that were captured. This allowed me to identify and notify our customers and some non customers of the compromised email accounts.

credential phishing example

This also allowed us to investigate further to see what clients made POST requests to credential[.]dumping[.]com. We then made the appropriate containment and eradication steps by having the affected accounts’ passwords changed, blocked both the credential harvester and the credential dumping site, and finally removed email from all mailboxes.

List of affected email accounts.  All told, more than 400 accounts were in this list.

Lessons Learned

This is just one of many standard investigation procedures we follow at Datashield. We pride ourselves on not only identifying threat vectors but investigating thoroughly to discover any and all resources a threat actor may use against a victim.  Occasionally, as seen above, this can lead to interesting discoveries and meaningful insights.

 

Are you interested in Datashield's threat analysis and ASOC capabilities?

Contact us today

 

**Please see the list of edited items below:

- Senders email address
- Recipients email address
- Details in the email
- Credential harvesting domain
- Submitted credentials domain
- List of affected email accounts, password, location, and IP
Topics from this Article

Email Security, Phishing, Access Control Lists, Threat Analysis, Credential Harvesting, SOC, Microsoft Outlook

Nick Sandin
Nick Sandin
Nick is a Senior Security Analyst at Datashield with over a 10 year background in Cybersecurity. He has a BS in Cybersecurity and Information Assurance and contributes thought leadership and technical write-ups to the Datashield Resource Library

Related Posts

Detecting and Preventing UNC1878

Recently, The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by hackers.

What is Microsoft Azure Virtual Network?

Azure Virtual Network (VNet) is a platform enabling you to create and maintain private networks in the context of Azure cloud and services. VNet works in a similar fashion a network in a data center works while introducing added advantages such as scale, availability, and isolation. 

What is Microsoft Azure Traffic Manager?

Azure Traffic Manager is a DNS-based load balancer to manage user traffic distribution of service endpoints in different data centers. This tool can service any of the Azure global regions and secure an optimal level of availability and responsiveness for your services.