Beyond DocuSign: Credential Harvesting Now Targets a Wider Range of Cloud Apps

A recent report by Stephen Kowski, Field CTO at SlashNext, highlights a concerning trend in credential harvesting: attackers are moving beyond well-known platforms like DocuSign and Microsoft to target a wider array of cloud applications. This includes services like Gravatar, ProtonMail, and even telecommunication companies like AT&T and Comcast Infinity.

Credential harvesting, once associated with major platforms like DocuSign and Microsoft, has evolved to target lesser-known but widely trusted services like Gravatar. According to the report, attackers now exploit Gravatar’s “Profiles as a Service” feature to create fake profiles that impersonate legitimate services, tricking users into revealing their login credentials.

Kowski explains: “By exploiting Gravatar’s ‘Profiles as a Service,’ attackers create convincing fake profiles that mimic legitimate services, tricking users into divulging their credentials.”

These tactics make Gravatar an attractive target for attackers, as it is often unblocked by security measures and remains under the radar in most environments.

The report also highlights how attackers are leveraging telecom giants like AT&T, Comcast Xfinity, and regional Canadian ISPs such as Kojeko and Eastlink. These companies are prime targets because of the trust they command and the vast user data they manage. By compromising ISP cloud profiles, attackers can access sensitive information, potentially leading to larger-scale breaches.

“Telecom services are the backbone of our digital communication, and their compromise can have far-reaching consequences for users,” the report states. Fake login pages hosted on platforms like Gravatar have been found mimicking AT&T and Xfinity portals, luring victims into revealing their credentials.

The report outlines the step-by-step process attackers use to harvest credentials:

1. Initial Contact: Victims receive phishing emails that appear to come from trusted brands like ProtonMail or AT&T.
2. Deceptive Links: These emails direct users to fake credential-harvesting pages.
3. Impersonation: Attackers create highly convincing fake profiles that mimic legitimate services.
4. Data Theft: Once victims enter their login information, attackers gain unauthorized access to their accounts.

Attackers increasingly use cloud apps because of their widespread adoption and the inherent trust users place in them. The report explains, “Services like Gravatar are not often known or blocked in most environments and won’t set off any alarm bells, making them attractive targets.”

Additionally, attackers customize their phishing schemes to closely resemble legitimate services, increasing the likelihood of success. As the report highlights: “What sets modern credential harvesting apart is using unique, customized impersonations […] Whether a ProtonMail interface or a telecom login page like AT&T’s, these impersonations are designed to be as convincing as possible.”

The report emphasizes the importance of vigilance and proactive security measures. Here are some key takeaways:

• Verify URLs: Always double-check the URL of any page requesting login credentials.
• Be Cautious with Emails: Scrutinize unexpected emails asking for personal information.
• Strong Passwords and 2FA: Use strong, unique passwords and enable two-factor authentication wherever possible.

Related Posts:

• Gravatar data breach: affecting over 100 million users
• AT&T Broadband Users Cannot Use CloudFlare DNS Service
• India Post Customers Targeted in Massive Phishing Scam
• New Keylogger Targeting U.S. Organizations Linked to North Korean APT Group Andariel