“The Com” Phishing Attacks Escalate, Targeting Businesses with Fake Login Pages

A new report from Intel 471 highlights a disturbing increase in targeted phishing attacks launched by a loosely affiliated group of cybercriminals known as “The Com” which is short for “The Community.” These persistent attacks focus on stealing login credentials for sensitive systems like HR portals, cloud resources, and single sign-on solutions, potentially opening the door for ransomware attacks and data theft within targeted businesses.

The Threat Explained

Intel 471’s findings reveal a significant surge in smishing attacks aimed at obtaining login credentials for identity and access management (IAM), cloud resources, and single sign-on (SSO)-enabled systems. Such breaches could grant attackers expansive access to organizational resources, potentiate data theft, and even pave the way for ransomware attacks.

These cybercriminals craftily mimic legitimate domains, such as a company’s HR system, to execute their attacks, demonstrating a sophisticated understanding of social engineering tactics. Their methodologies are not only persistent but are also constantly evolving, testing, and challenging security controls with relentless fervor.

How the Attacks Work

From the onset of 2024 to mid-February, Intel 471 identified 35 new phishing sites linked to these nefarious activities. A notable aspect of these sites is their use of unique identifiers within their resources, allowing the identification of additional web pages operating under the same phishing kit. One striking example is the integration of resources directly from the Okta IAM provider’s website, including specific JavaScript files designed to mimic legitimate sign-in widgets.

Moreover, the phishing pages are meticulously crafted to replicate the original login forms of the targeted companies, further indicating the attackers’ detailed preparatory work. Following the submission of login details, victims are directed to enter their Okta verification codes on a deceitfully designed page, aiming to harvest MFA codes.

  1. Fake HR Portals: Attackers create phishing domains and login pages closely resembling those used by legitimate HR systems, often specifically mimicking Okta authentication pages.
  2. SMS Lure: Victims receive text messages with links to these fake login pages, frequently timed after work hours on Thursdays and Fridays, to exploit busy times in a work week.
  3. MFA Bypass: After stealing usernames and passwords, the attackers may even request MFA codes to bypass security measures.
  4. Access and Exploitation: Once inside, attackers gain a foothold within the organization, potentially leading to data theft or ransomware deployment.

Victimology and Campaign Strategy

The campaigns, predominantly leveraging HR-related themes, are timed strategically on Thursdays and Fridays after working hours when employees are possibly less vigilant. This timing, coupled with the thematic focus, suggests a calculated approach to maximize the likelihood of engagement with the phishing messages.

The telecommunications sector emerged as the primary target, followed by technology, insurance, IT consulting, and retail industries, underlining the attackers’ preference for high-value, broad-impact sectors.

The Broader Cyber Threat Landscape

Intel 471’s assessment ties these recent campaigns to operations linked with other known intrusion clusters such as Scattered Spider, UNC3944, Octo Tempest, and Muddled Libra, illustrating a complex web of cybercriminal activities with shared techniques and tools.

Despite the cyber threat intelligence (CTI) community’s focus on these threat actors, little change in their tactics, techniques, and procedures (TTPs) has been observed. This stubborn persistence suggests that existing mitigations have had limited success in thwarting these attacks, reaffirming the notion that human elements remain the most vulnerable link in cybersecurity defenses.

Security Recommendations

Businesses can mitigate these risks by:

  • Multi-Layered Security: Implement robust email filtering, web security gateways, and endpoint protection solutions.
  • Ongoing Training: Educate employees on identifying phishing attempts, recognizing suspicious URLs, and the importance of reporting potential attacks promptly.
  • MFA Best Practices: Enforce strong multi-factor authentication and explore advanced options like hardware security keys.
  • Zero-Trust Approach: Assume no user or device is inherently trusted and continuously verify access permissions.