Phishing campaings happen to schools too

· My Malware Researches

A case study of a phishing campaign targeting Efrei Paris

Incident Overview #

On the 31 May 2023, some engineering students from Efrei Paris, a French engineering school, receive an email from their fellow comrades asking them to look at the document attached.

The interesting thing is that the emails sent were written using the spoken language of their presumed sender. It may be only using their names, hence guessing the spoken language of the student, or it could be explained by the initial infection.

I tried contacting both students which email was used by the campaign, but sadly I couldn't get in touch with them.

The PDF was a simple image asking to go to a website to access a document.

Let's dive deeper #

First thing first : the PDF.

We can see that the PDF was created a day before the attack, and the Creator is "Pixdev Limited", which is a Ghanian digital creative agency. I don't really see why this company is marked as the creator of this document, but it is. I didn't see any service of the company that could lead to a creation of a PDF, so that confuses me.

By doing some research about it, I stumbled upon this article, that shows a similar attack towards another french school in 2019.

Now that we saw that the PDF was just a mean to access to a URL, let's study it.

When clicking on the link, we are sent to this URL: https://wdp0rhcmxl643fd525a7bea.nimach.ru, which shows a Microsoft Live sign-in screen.

I didn't find anything interesting on this url, apart for it being Russian

The interesting part is that if I input a fake email or my personal Microsoft email, it will tell me that this email doesn't exist.

After trying to understand how the website works, I noticed that all my inputs were sent to an API, that will return false to each of my tries.

That's when I tried a school email. And when I did, I accessed another page asking for my password !

That means that somehow, the API was either crafting a request to the real Microsoft sign-in page and checking the result, or it had a database with all Efrei's emails (less probable).

This is actually a common technique used in phishing, where a fake website will grab your credentials and check them, to filter bad/wrong credentials, something like this:

When I was writing this part of the article, something funny happen :

The API was expired !

So I started looking for this MRxC0DER, and I found what I wanted :

This person sells a Phishing-as-a-Service called Caffeine. A really cool article by Mandiant was written about it.

I found the Caffeine bot service telegram, and this is what I suppose the campaign was :

Now, I guess the campaign is finished. It's impossible for me to know if some people entered their credentials, but I hope not !

Possible Purposes #

But why would anyone pay $250 to launch a phishing campaign on a school ?

The first reason I can find is ransomware.

By launching a phishing campaign, the attackers might hope to access an important account, and then use this account to send a new phishing attack with, this time, a ransomware a win tons of money. Guess we'll never know. Or will we ? Let's wait for a few weeks before celebrating.

The other reason would be simply to sell the captured credentials. I didn't try to input other schools emails, but if it worked, the attackers could sell all this data on forums to make a profit.

Actions Taken #

During the attack, the school CIO has been contacted to stop it from spreading. As of today, all recent domain names are blocked, but the school didn't do anything more. I hope they will because prevention is a really important response to this kind of attack.

Afterwords #

I'll come back to this article if there are some news. Until then, thank you all for reading this, and be careful on what link you click !

#phishing