"SocGholish Finds Success Through Novel Email Techniques"

Proofpoint researchers have revealed more technical details about SocGholish, the malware variant they discovered earlier in November, emphasizing its tactics that differ from traditional phishing campaigns. SocGholish deviates from the norm by doing away with all of the classic staples of modern phishing, such as pushing a sense of urgency, promising rewards, and misdirection. SocGholish is instead used in email campaigns with site injections, primarily targeting organizations with extensive marketing campaigns or Search Engine Optimization (SEO). According to Drew Schmitt, managing security consultant and lead analyst at GuidePoint Security, the SocGholish email-based attacks combined with download-style infections are unique because they explicitly avoid having characteristics that the average user would be able to detect and identify. On November 2, Proofpoint revealed that SocGholish attacks had infected over 250 US news sites. According to the company, it observed intermittent injections in a media company that serves content to its partners via JavaScript. Proofpoint identified the threat actor as TA569, who modified the codebase of the benign JavaScript and used the media company to deploy SocGholish, potentially resulting in a dangerous supply chain attack. The threat actor is not directly targeting the media industry, but rather uses these companies as delivery mechanisms. Consumers who visit those websites are the intended victims. The actors are opportunistic, injecting scripts into landing pages, third-party styling resources, trackers, and scripts. They rely on the compromised entity being a legitimate organization and natural email traffic to drive traffic to those sites, such as newsletters, marketing efforts, and bulletins. Since articles on online news sites are often optimized for search engines, ad hoc searching would also lead potential victims to the compromised sites. The SocGholish is noteworthy because it is more than just a credential-stealing attack. It is also an attempt to gain persistence and lateral movement in order to drop additional malware payloads, which could include ransomware or other threats. This article continues to discuss key findings regarding the SocGholish malware. 

SC Magazine reports "SocGholish Finds Success Through Novel Email Techniques"