Research by Flare shows how attackers are using container platforms to run fake login pages on a large scale and set up advanced phishing attacks.
Phishing is evolving from loose, quickly set up websites to professionally managed platforms that run on modern cloud technology. That is the conclusion of the Canadian Flare in a report. Flare is a cybersecurity company that helps organizations detect external threats and exposures
More than stealing a password
For a long time, phishing revolved around one goal: convincing someone to enter a password on a fake page. In the report, Flare describes how this approach is shifting to systems that not only try to capture passwords, but especially want to hijack active login sessions. In other words, even those who use extra security can still fall victim when attackers manage to take over the current session.
To support this approach, Flare sees phishing infrastructure becoming cloud native. Because attackers are looking for the same benefits as legitimate IT teams: speed, scalability and repeatability.
read also
New Phishing Tactic Exploits Web Forms on Corporate Websites
Moreover, the complexity behind the infrastructure is kept away from criminal end users. They can consume phishing services ‘as-a-Service’. This is not a new evolution in itself: the threat landscape has been evolving towards business models that reflect the legitimate world for some time.
From forum to Kubernetes cluster
Flare started its research from advertisements on a Russian-language forum where ready-made phishing services are offered. From there, the researchers follow traces to infrastructure that does not feel like a collection of individual servers, but as a centrally deployed platform that can be managed on a large scale.
In their report, the researchers refer to a large campaign involving fake Microsoft 365 logins. Flare identifies more than a hundred systems that are very similar and show traces of a modern setup with containers and management software that is typical of cloud environments. This approach makes it easy to quickly launch new copies of the same phishing environment and move them just as quickly when a part is discovered. In this way, Kubernetes technology supports advanced Phishing-as-a-Service.
Better hidden
In addition, the phishing pages are designed to evade control: on a first visit, the page sometimes remains empty, and the fake login only appears later. Flare also sees the same digital “signatures” recurring across many systems, indicating the reuse of fixed templates.
With the research, Flare mainly wants to demonstrate that phishing infrastructure is co-evolving. As security improves, including through MFA, attackers must develop other complex attack techniques. They also make use of the possibilities of modern infrastructure.