CloudSEK Uncovers New Phishing Bot – MichaMichaBot

CloudSEK, a leading cybersecurity firm, has identified a new and alarming phishing trend. Cybercriminals, using a bot named MichaMichaBot, are exploiting missing “X-Frame-Options” HTTP headers to conduct extensive phishing campaigns targeting companies worldwide.

Key Findings: Threat actors are embedding company domains within iframes and overlaying them with fake login panels. Victims, thinking they are on legitimate sites, unknowingly enter their credentials, which are then sent to the attackers via MichaMichaBot on Telegram. (For More Information Read Full Report)

How the Phishing Scheme Works:

1. Iframe Embedding: The phishing page loads the target company’s domain within an iframe.
2. Fake Login Panel: A deceptive login panel is displayed over the iframe, tricking users into entering their credentials.
3. Credential Harvesting: Entered credentials are sent to attackers through MichaMichaBot on Telegram using hardcoded API tokens and ChatID.

Technical Analysis: CloudSEK’s investigation revealed that these phishing pages exploit the absence of the “X-Frame-Options” HTTP header. This omission allows pages to be embedded in iframes, a technique known as clickjacking. (For More Information Read Full Report)

This new phishing trick is pretty sneaky. Instead of creating fake websites for each company, hackers use the URL of the website to load it in an iframe. This phishing methodology tricks people into giving up their information. But this only works on some websites because many have security settings that prevent this.

Mitigation Strategies: To protect against this threat, CloudSEK recommends implementing the following security measures:

1. X-Frame-Options HTTP Header: Set this header to DENY or SAMEORIGIN to prevent your webpage from being embedded in an iframe.
2. Content Security Policy (CSP): Use the frame-ancestors directive to control which sources can embed your content.
3. Frame Busting Scripts: Employ JavaScript to prevent your site from being loaded in an iframe.
4. SameSite Cookie Attribute: Set this attribute in cookies to restrict them from being sent with cross-site requests.
5. HTTP Strict Transport Security (HSTS): Ensure your website is only accessible over HTTPS to guard against man-in-the-middle attacks.
6. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security for user logins.

Impact: As of July 31, 2024, CloudSEK has identified an astonishing 1,262 victims of this phishing campaign. The most targeted domains include:

• bigdutchmanusa.com: A poultry company based in the USA.
• globalnapi.com: A pharmaceutical company in Egypt.
• indexcargologistics.com: A logistics and transportation company in Kenya.

Threat Actor Attribution: Through HUMINT and technical analysis, CloudSEK traced the attackers to Nigeria. The attackers used various tools and services, including:

• Hosting Services: Cloud hosting is provided by vk.com.
• Mass Mailing Tools: Sendgrid, PowerMTA SMTP Server, and Gammadyne Mailer to send bulk phishing emails.

“Nigerian threat actors are embedding legitimate websites in an iframe on their phishing page. On top of the iframe, the phishing page loads a login panel which, when clicked, sends the entered credentials to a Telegram bot called Micha-Micha. This technique helps the threat actors do away with creating a separate phishing website for each domain. However, only the websites that have not properly configured their HTTP security headers can be injected into an iframe on a phishing page like this. So far 1000+ people from all over the globe have fallen victim to this scam that has been running since September 2023. To stay safe from this, never submit your credentials on unknown links and configure HTTP  security headers on your website,” said Vikas Kundu, Threat Researcher, CloudSEK

Call to Action: CloudSEK urges all organisations to review their web security configurations and implement the recommended mitigations to protect against such phishing attacks.