Anga Com is a popular conference based in Germany for broadband and media distributors. The conference attracts over 22,000 participants from 470 companies from across the world.
Anga Com had its latest conference in the last week of May.
A central part of any conference for a company is to garner interest for their company. Many conferences will give over lead lists for companies to follow up on. This can be a significant source of potential revenue for companies.
This is not the usual fare for hackers. But in a clever twist, hackers insert themselves into the lead delivery process to steal credentials by creating look-a-like webpages on easy-to-use and legitimate developer sites.
In this Attack Brief, researchers at Avanan, a Check Point Software company, will discuss how hackers are sending spoofed emails and creating spoofed webpages to make it appear as it comes from Anga Com, when in fact they are creating a ploy to steal credentials.
Attack
In this attack, hackers are creating look-a-like webpages in order to steal credentials.
- Vector: Email
- Type: Malicious Link
- Techniques: Social Engineering, Impersonation, Credential Harvesting
- Target: Any end-user
Email Example
This con starts with an email purporting to come from Anga Com notifying them that visitors expressed interest in their exhibit during the conference. That’s the ploy. Who wouldn’t want to generate new business? To initiate communication with the prospective clients, users are directed to click onto the provided link and sign into the online platform. Notice the sender address is an Outlook address, not from Anga Com.
The attachment provides more information.
It says that the conference created an online platform where businesses and visitors can interact. Click on the link to see the request!
When you click, you get redirected to this login page.
Looks like a legit page, right?
Wrong. Here’s the rub:
The URL for this page is angacom-de.surge.sh
The real URL is angacom.de
Surge.sh is a site used by developers to create websites. So the hackers were able to create a look-a-like page for Anga Com.
When the users enter their email, it’ll be followed by a password. And credentials are promptly stolen.
Techniques
There’s a lot going on in this attack. First, there’s the pure impersonation and social engineering of this popular conference. The hackers are using the name of the conference, and the dazzling potential of future business, to get users to click.
That’s the first part, which requires fairly little expertise on the part of the hacker. If anything, it shows ingenuity by sending the email within a few days of the conference ending. Because companies tend to post that they are at such conferences on social media, it makes it easy for hackers to identify potential targets.
What requires more skill is creating the look-a-like page. Luckily for hackers, there are tools that help them along. In this case, it is Surge.sh
Surge.SH is not a malicious site, but like many legitimate services, it can be used to foster illegitimate acts. By leveraging the legitimacy of Surge, it allows for the bypassing of security services.
Users can spot the plot by seeing that the URL has the Surge domain in it. But even that is potentially tricky. Because Anga Com is in the name of the URL, users might think that Surge is the platform being used to host the leads.
In short, this is a clever and tricky attack that requires a lot of special attention being paid by the end-user, and a lot of good AI from email security services, along with the ability to emulate and re-write links within attachments. By replacing the links in the email body and attachments, security services can better prevent attacks that hide links within the attachments.
Avanan researchers reached out to Surge on June 1 to inform them of this attack and research. We also reached out to Anga Com.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Implement security that looks at all URLs and emulates the page behind it
- Leverage URL protection that uses phishing techniques like this one as an indicator of an attack
- Remind users to hover over all URLs
