A group of attackers has compromised accounts on the SendGrid email delivery platform and is using them to launch phishing attacks against other SendGrid customers. This campaign may be an attempt to harvest credentials for popular mass email services that could help the attackers evade spam filters in other attacks.
“Observed campaigns may include claims that the victim's account has been suspended while their sending activity is reviewed, claims that the victim's account has been marked for deletion due to recent payment failures, or other SendGrid A variety of complex lures are used in conjunction with features to mask the act of sending, “the actual destination of the malicious link,'' researchers at threat intelligence firm Netcraft said in a new report. I am.
SendGrid is a cloud-based email delivery platform owned by Twilio. We help businesses run email marketing campaigns at scale with high deliverability and analytics. The company claims that he has over 80,000 customers, including popular brands such as Uber, Spotify, AirBnB, and Yelp. “Even legitimate companies can have trouble successfully delivering emails to users' inboxes, which makes using his SendGrid for phishing operations attractive to criminals. “It's easy to see,” says the Netcraft researcher.
Phishing links hidden by click tracking
Phishing emails purporting to be SendGrind notifications were sent through the SendGrind SMTP server, but the email address in the From field was not from sendgrid.com, but from another domain. This is because the attacker used a domain name that her compromised SendGrid customers had configured to send emails through the platform for their own campaigns.
Netcraft observed at least nine such domains belonging to companies in a variety of industries, including cloud hosting, energy, healthcare, education, real estate, human resources recruitment, and publishing. Because these domains were configured to use SendGrid for email delivery, these domains had the correct DNS policies in place, allowing the phishing emails to pass through all normal anti-spoofing security features such as DKIM and SPF. Did. “The use of compromised SendGrid accounts explains why SendGrid is a target of phishing campaigns. Criminals use compromised accounts to compromise further SendGrid accounts in cycles, creating new SendGrid accounts. “We can provide a stable supply of this,” Netcraft researchers said.
[差出人]Other than a suspicious address in the field, there is little that makes a fraudulent email appear inauthentic to the recipient. Links behind buttons in emails are masked using SendGrid's click tracking feature. This URL points to a script hosted on sendgrid.net that redirects to a phishing page set up by the attacker. However, the phishing page URL is passed to his SendGrid script as an encoded parameter, so it does not appear as clear text to the user when hovering over the button.
Serverless phishing page with real-time account checking
The phishing page itself is also hosted using JSPen. JSPen is a tool that allows you to generate entire web pages on the fly in your browser based on code passed as a URL fragment after the # character. These are also called serverless web pages.In this case, the JSPen URL fragment loads the JavaScript file hosted in Azure.
If authenticated, it requests the SendGrid API to send a two-factor authentication code to the user's phone and displays a SendGrid-themed two-factor authentication field on the page. Once the code is entered, the script will check again if it is valid and throw an error if it is not.
This technique, which verifies credentials and 2FA codes in real time and returns an error if they don't work, makes it difficult for users to test whether a page is fake. Of course, you can always check the URL and see that it's not on your SendGrid domain.
Although JSPen pages and malicious JavaScript files hosted on Azure are not available at this time, Netcraft researchers believe that attackers can use legitimate domains and other non-spoofed lures to access compromised customers. It points out that it is possible to easily send phishing emails on behalf of . Send grid.
“Twilio SendGrid takes abuse of its platform and services very seriously,” a Twilio spokesperson told CSO. “It is always unfortunate when an individual or organization falls victim to a phishing attack. We are aware that malicious actors are using our platform to launch phishing attacks. Our fraud, compliance, and security teams are working diligently to shut down these fraudulent activities immediately.”
