TodayZoo phishing kit used to scan Microsoft credentials
Attackers behind a massive phishing campaign used a partially recycled phishing kit to target victims’ Microsoft credentials. The campaign illustrates the various ways cybercriminals take advantage of phishing kits – from renting them to creating their own customized versions, Microsoft researchers said.
TodayZoo, so called due to its “curious” use of these words in its credentials collection component, was first observed in December 2020 and has since been used in several phishing attacks aimed at stealing Microsoft 365 account credentials for victims, according to the Microsoft 365 Defender Threat Intelligence team Thursday.
“Our previous research on phishing kits told us that TodayZoo contained large chunks of code copied from widely distributed ones,” Microsoft researchers said. “The copied code segments even have the comment markers, dead links, and other remnants of previous kits.”
Since December, researchers have observed that TodayZoo has been used as the backbone of several large-scale phishing campaigns. In March, for example, Microsoft researchers observed that attackers behind TodayZoo were abusing AwsApps.[.]com – an issue Amazon has since remedied – in order to send victims emails masquerading as Microsoft. These emails used various decoys, including those related to resetting passwords or fax notifications. The recipients of the targeted emails were prompted to click a link, which led to initial and secondary redirect URLs before redirecting them to a page mimicking the Microsoft 365 login page that asked for their credentials.
The phishing campaign used an ancient tactic called zero-point font obfuscation, where attackers hide words that might be flagged by natural language processing by inserting text with zero font size between words. The researchers also noted that the source code of the landing page revealed where the stolen credentials would be exfiltrated (a compromised site ending in TodayZoo.php), an unusual move because the credential collection pages Usually forward stolen passwords to email accounts owned by the attacker.