Phishing attack uses compromised SendGrid accounts to target additional users

A group of attackers have compromised accounts on the SendGrid email delivery platform and are using them to launch phishing attacks against other SendGrid customers. The campaign is likely an attempt to collect credentials for a mass email service with a good reputation that would help attackers bypass spam filters in other attacks.

“The campaign observed uses a variety of complex lures, such as claiming the victim’s account has been suspended while its sending practices are reviewed or that the victim’s account is marked for removal due to a recent payment failure, combined with other SendGrid features to mask the actual destination of any malicious links,” researchers from threat intelligence firm Netcraft said in a new report.

SendGrid is a cloud-based email delivery platform owned by Twilio. It helps companies run email marketing campaigns at scale with a high deliverability rate and analytics. The company claims to have over 80,000 customers including popular brands like ​​Uber, Spotify, AirBnB, and Yelp. “With even legitimate companies sometimes struggling to deliver emails to users’ inboxes successfully, it is easy to see how using SendGrid for phishing campaigns is attractive to criminals,” the Netcraft researchers said.

The phishing emails masquerading as SendGrind notifications were sent through the SendGrind SMTP servers, but the email addresses in their From field were from other domains, not sendgrid.com. That’s because the attackers used the domain names that the compromised SendGrid customers had configured to be able to send email through the platform for their own campaigns.

Netcraft observed at least nine such domains belonging to companies from a range of industries including cloud hosting, energy, healthcare, education, property, recruitment, and publishing. Because those domains had been configured to use SendGrid for email delivery, the phishing emails passed all the usual anti-spoofing security features like DKIM and SPF as those domains had the correct DNS policies set up. “The use of compromised SendGrid accounts explains why SendGrid is targeted by the phishing campaign: The criminals can use the compromised accounts to compromise further SendGrid accounts in a cycle, providing them with a steady supply of fresh SendGrid accounts,” the Netcraft researchers said.

Aside from the suspicious addresses in the From field, there is little else to make the rogue emails appear not authentic to a recipient. The link behind the button included in the email is masked using SendGrid’s click-tracking feature. This means the URL points to a script hosted on sendgrid.net, which then performs a redirect to the phishing page set up by the attackers. However, the URL of the phishing page is passed to the SendGrid script as an encoded parameter so it’s not visible to the user as clear text when hovering over the button.

Serverless phishing pages with real-time account checks

The phishing page itself is also hosted using JSPen, a tool that allows entire web pages to be generated on the fly inside the browser based on code passed as a URL fragment after the # character. These are also known as serverless web pages. In this case, the JSPen URL fragment contains a <source> element that loads a JavaScript file hosted on Azure. This script contains AES-encrypted code that generates the entire page which mimics the SendGrid login page. When credentials are entered, the script uses the SendGrid API to determine if the username and password combinations are correct.

If they are, it then requests the SendGrid API to send a two-factor authentication code to the user’s phone and displays a SendGrid-themed two-factor authentication field on the page. When the code is entered, the script again checks if it’s valid and throws an error if it’s not.

This technique of validating credentials and 2FA codes in real time and returning an error if they don’t work makes it harder for users to test if it’s a fake page. Of course, they could always check the URL and realize they’re not on a SendGrid domain.

The JSPen page and the malicious JavaScript file hosted on Azure are no longer available at this time, but the Netcraft researchers point out that attackers could easily send phishing emails on behalf of the compromised customers using their legitimate domains and other lures that don’t impersonate SendGrid.

“Twilio SendGrid takes abuse of its platform and services very seriously,” a Twilio spokesperson tells CSO. “It is always regrettable when an individual or organization is the victim of a phishing attack. We are aware that bad actors have used our platform to launch phishing attacks. Our fraud, compliance, and security teams are working diligently to ensure that these bad actors are shut down immediately.”

Cybercrime, Email Security, Phishing

Go to Source