Microsoft has discovered a phishing campaign going on in the wild that employs a new trick to bluff users. This phishing campaign makes use of custom 404 pages to steal users’ credentials.
Custom 404 Pages Phishing Campaign
Microsoft has warned the users of a peculiar phishing attack targeting Microsoft users. The phishing campaign bluffs users with custom 404 pages. Using this technique, the attackers can create a seemingly unlimited number of phishing web links.
According to the details shared by Microsoft Security Intelligence on Twitter, the researchers detected this phishing campaign while analyzing phishing emails.
These phishing web pages are actually the non-existent links. However, these pages do not display the usual ‘404 not found’ error message. Rather the attackers have designed these pages in a way to imitate legit websites.
In the campaign discovered by Microsoft, the attackers have designed these pages as Microsoft account login page. Thus, when a user lands at one of these web pages, they confuse the phishing site with a legit Microsoft sign-in prompt. Hence, they are likely to enter their login credentials which ultimately reach the attackers.
The researchers believe that this technique opens up a plethora of options for creating phishing URLs to the attackers. As stated in their tweet,
Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers can use random URLs for their campaigns. We also found that the attackers randomize domains, exponentially increasing the number of phishing URLs.
Customizing 404 Pages
As reported by BleepingComputer, there are numerous ways to design custom 404 pages. The phishing web pages referred in this campaign have used Firebase for the purpose which allows users to create custom pages. Likewise, Microsoft Azure Storage also offers custom 404 page creation. Thus, such kinds of phishing campaigns may also exploit Microsoft Azure Storage as well.
Considering the endless creativity of the attackers to devise new phishing attacks, the entire responsibility of avoiding such attacks comes on the users. Make sure you deal your emails very cautiously and think twice before entering your account credentials on any site.
Stay safe!