Malicious actors have been increasingly hijacking software-as-a-service accounts via virtual private server exploitation to facilitate phishing attacks that evade IP reputation checks and geolocation defenses, SiliconANGLE reports.
Multiple endpoints associated with VPS provider Hyonix have been used by threat actors to conduct logins prior to creating inbox rules and removing phishing-related emails as part of one campaign, according to a study from Darktrace. Another campaign involved obfuscated inbox rule creation and attempted account recovery setting alterations following coordinated logins from various VPS providers, said researchers, who noted that disabled autonomous response hindered the tracking of both incidents' progress. Such an attack technique is no longer novel, said SlashNext Email Security Field Chief Technology Officer J Stephen Kowski. "...[I]t's the same old tricks as you would see on a desktop: changing inbox rules, stealing tokens, resetting passwords and cleaning up tracks. The only twist is that it's happening on a rented cloud desktop, which makes the activity blend in with normal traffic slightly differently," noted Kowski.
Multiple endpoints associated with VPS provider Hyonix have been used by threat actors to conduct logins prior to creating inbox rules and removing phishing-related emails as part of one campaign, according to a study from Darktrace. Another campaign involved obfuscated inbox rule creation and attempted account recovery setting alterations following coordinated logins from various VPS providers, said researchers, who noted that disabled autonomous response hindered the tracking of both incidents' progress. Such an attack technique is no longer novel, said SlashNext Email Security Field Chief Technology Officer J Stephen Kowski. "...[I]t's the same old tricks as you would see on a desktop: changing inbox rules, stealing tokens, resetting passwords and cleaning up tracks. The only twist is that it's happening on a rented cloud desktop, which makes the activity blend in with normal traffic slightly differently," noted Kowski.
