The Microsoft 365 Defender team disclosed a large-scale certificate-stealing phishing campaign last week, and called for vigilance against “TodayZoo”, a phishing tool that stitches different tool codes into a custom suite to steal user login information.
At the end of last year, the Microsoft team detected the “TodayZoo” phishing campaign. Attackers pretended to be Microsoft and sent emails, claiming to reset passwords or fax and scanner notifications, redirecting victims to certificate theft pages to commit crimes.
Specifically, TodayZoo’s attack method is similar to another tool called DanceVida, which is to imitate and confuse relevant components that overlap with Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo, but TodayZoo uses its own The filter logic of replaces the original function of the certificate collection component.
According to Microsoft researchers, TodayZoo is widely used because of the large number of phishing tools available for sale or rent, making it easy for lone wolf attackers to pick the best features and combine them into a custom suite trying to make a profit for themselves.
These kits can be sold through openly scam sellers, or they may be repurposed and repackaged by resellers. On the dark web, archives containing images, scripts, and HTML pages are usually sold as one-off payments so that attackers can set up phishing emails and pages, use them as lures, and collect and transmit credentials to attacker-controlled server.
According to Microsoft observations: Most of the phishing tools available today are derived from existing tool clusters, and due to the large amount of code sharing between phishing tools, this trend will continue to become a norm.
The Links: PD064VT2 40382-074-57