In their blog Microsoft reported a very curious phishing kit – TodayZoo. It was primarily active this year, in spring and summer. The peculiarity of this kit lies in its built. This weird toolkit consists of particles of code from different works. Franken-Phish used to disguise itself under Zoom, Microsoft and Xerox products. Microsoft reported it to the AWS (Amazon Web Services, Inc).
TodayZoo made from different codes
“We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video-conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits” – Microsoft in their blog post.
Phishing is a cybercrime in which victims receive the email, telephone or text message. The purpose of these notifications is to bait the victim to go to the website and fill the form with sensitive data. By someone pretending to be a legitimate representative to draw individuals into providing confidential data. For example, credit card details, banking, personally identifiable information and passwords. The information is then applied to get access to important accounts. Such actions are identified as identity theft and result in financial losses.
Modern phishing is more like a business
Today`s phishing industry shows a pretty well organization. It reminds of a very put work business. You can buy a one-time phishing kit and use it out of box, without any additional setups. Also, criminals can rent resources and infrastructure they need from the so-called phishing-as-a-service (PhaaS) providers. The first-ever known phishing lawsuit was filed in 2004 against a Californian teenager. He made a fake “America Online” website. By that trick, he got access to fooled users’ sensitive information and credit card details. Apart from website and email phishing there exist others like “smishing” (SMS Phishing) and “vishing” (voice phishing). Cybercriminals constantly come up with new and different techniques.1
TodayZoo operated by a single group
TodayZoo phishing campaign was sending links to fake Microsoft 365 login pages. It also used a technique called “zero-point font obfuscation”. Fraudsters just add HTML text with a zero font size in an email. So that for humans it would be impossible to read. Fraudsters maintained the majority of pages on cloud provider DigitalOcean. This phishing kit redirected the data not to other email accounts but stored it on the site itself. Microsoft researchers believe this phishing group is a single operation rather than a network of criminals.
Microsoft also added that many phishing kits connect to a broad variety of email phishing campaigns. And vice versa many email campaign patterns associate themselves with various phishing kits. TodayZoo exclusively utilized the same campaign pattern and others only surface it. This led Microsoft specialists to believe that in this case, actors are on their own. As you can see, Microsoft tries to deal with the vulnerabilities not only through enhancing the system protection, but also through informing their users.
