Key Takeaways:
Microsoft is taking legal action to disrupt 240 websites owned by a cybercrime group in Egypt. The sites are connected to Abanoub Nady (MRxC0DER), who develops and sells DIY phishing kits under the ONNX brand name.
The ONNX name is being used fraudulently to sell the do-it-yourself phishing kits, which are used by many cybercriminals to bypass multifactor authentication (MFA) and break into Microsoft accounts.
Microsoft says all sectors are at risk but that financial services have been heavily targeted. In a recent blog post, Microsoft noted:
“Phishing emails originating from these “do it yourself” kits make up a significant portion of the tens to hundreds of millions of phishing messages observed by Microsoft each month. The fraudulent ONNX operations are part of the broader “Phishing-as-a-Service” (PhaaS) industry and as noted in this year’s Microsoft Digital Defense Report, the operation was among the top five phish kit providers by email volume in the first half of 2024.”
Microsoft’s Digital Crime Unit (DCU) is disrupting the cybercriminal supply chain to protect customers from threats, including financial fraud, data theft, and ransomware.
The phishing kits enable criminals to use advancing adversary-in-the-middle (AiTM) attacks where they intercept network communications to steal passwords and security tokens to authenticate themselves. Microsoft says that AiTM attacks have become the go-to method and are highly favored by criminals to bypass MFA protections, with a 146% increase in AiTM attacks in this year’s Microsoft Digital Defense Report.
The Financial Industry Regulatory Authority (FINRA), says new techniques, including QR code phishing (quishing), uses embedded QR codes that direct users to fake sign-in pages where users then enter their credentials. Starting in September 2023, Microsoft saw a significant rise in quishing to nearly a quarter of all phishing emails. Quishing is difficult to detect because QR codes appear as unreadable images.
Microsoft encourages organizations and users to stay update to date about the latest methods hackers use to take over user accounts. While Microsoft’s DCU can take action against specific threats using legal methods, it’s an ever-evolving landscape and as one door closes for attackers, another quickly opens.