"'PerSwaysion' Phishing Campaign Still Ongoing, and Pervasive"
Research conducted by SeclarityIO analyzed data on a phishing kit called PerSwaysion, which has been used in thousands of attacks worldwide and is a significant threat to organizations across multiple sectors. The phishing kit allows cybercriminals to easily launch a phishing campaign with less effort. This threat involves the use of Microsoft file-sharing services, such as Sway, SharePoint, and OneNote, to trick unsuspecting users into visiting malicious credential-stealing websites. Findings from the analysis of PerSwaysion indicate that the campaign was launched as far back as at least October 2017. Despite the public disclosure of the phishing kit and related TTPs, the campaign is still active. Data from URLscan revealed that within the last 18 months, about 7,403 people from across 14 sectors visited 444 unique PerSwaysion phishing portals. The victims were from financial services, healthcare, aerospace, engineering, technology, the government, and other sectors. David Pearson, co-founder and CEO of SeclarityIO, estimates that the number of organizations impacted by the campaign since May 2020 is in the high hundreds. The PerSwaysion kit consists of templates for spoofing account login pages belonging to Microsoft, Google, Facebook, Twitter, AOL, and other trusted brands. In some PerSwaysion attacks, URL shorteners such as bit.ly and tiny.cc were used to try bypassing email filters and to make malicious URLs look legitimate. In other attacks, email platforms such as sendgrid.net were used to deliver phishing lures directly to user email inboxes. Other observed tactics included luring users to legitimate but compromised websites, redirecting users through online ads, and performing open redirects to reroute users. The attack infrastructure of the kit includes a front-end phishing portal, a template hosting site, a redirector site, and the credential collection site itself. This article continues to discuss key findings surrounding the PerSwaysion phishing campaign.
Dark Reading reports "'PerSwaysion' Phishing Campaign Still Ongoing, and Pervasive"