A newly discovered phishing scam called TodayZoo sends out URLs to spoofed Microsoft 365 login pages.
The Phishing Scam Uses A Copycat Phishing Kit
A phishing kit refers to a wide array of software or services meant to facilitate phishing attacks. Microsoft has named this particular operation ‘TodayZoo’ after some text used by the kit. The tech giant referred to the scam as a ‘Franken-Phish’ because it is made up of different elements, some of them available for purchase through publicly accessible hack vendors or reused and repackaged by other kit vendors.
“We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video-conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits“, Microsoft explained.
Microsoft said that the operation is using the WorkMail domain AwsApps[.]com to send out emails with links to malicious pages impersonating the Microsoft 365 login page.
“The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, we observed a series of phishing campaigns abuse the AwsApps[.]com domain to send the email messages that eventually directed users to the final landing pages, leading us to examine the kit more closely. As of this writing, we have already notified Amazon about the abovementioned abuse in their domain, and they promptly took action”.
Microsoft revealed that the hackers created malicious AWS WorkMail accounts “at scale” but are using randomly generated domain names instead of ones that would suggest a genuine organization. Put differently, this phish is on a budget, but significant enough to be noticed.
“The attackers created malicious accounts at scale. Initially, the sender emails appeared with randomly generated domain names such as wederfs76y3uwedi3uy89ewdu23ye87293eqwhduayqw[.]awsapps[.]com. This contrasts legitimate emails—and even some spoofed phishing ones—where the subdomain would represent a company hostname,” the report says.
The Zero-Point Font Obfuscation Technique
TodayZoo caught Microsoft’s eye because it impersonated the brand using a technique called “zero-point font obfuscation” – an email containing HTML text with a zero font size – to avoid human detection. Microsoft spotted a spike in zero-font attacks in July.
Throughout the spring, TodayZoo scams impersonated Microsoft 365 login pages and a password reset request. However, Microsoft discovered that campaigns in August used Xerox-branded fax and scanner notifications to trick employees into handing over their credentials.
“The social engineering lures in the message body repeatedly changed over the months. Campaigns in April and May used password reset, while more the recent campaigns in August were leveraging fax and scanner notifications”, according to Microsoft researchers.
Microsoft experts think that this cybercriminal gang is a single operation rather than a network of hackers.
“While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own,” Microsoft said.
Microsoft reported that it had informed Amazon about the phishing campaign and that AWS “promptly took action”.