Payment redirection fraud is a scam involving a criminal actor deceiving users into paying to a fraudulent account. This attack combines phishing and social engineering targeting a company’s employees rather than its infrastructure. Finance teams or anyone that pays invoices as part of their jobs are prime targets for criminals as payment requests become a part of their day-to-day crime. Payment redirection fraud almost always involves impersonating a trusted contact, creating fake invoices and using a hijacked user email address.
Read more in the below report as we look at the ways in which a payment redirection fraud attack can occur and our recommended best practices to avoid these from happening.
There are any number of ways this attack could happen. A common attack method is “a pass-the-cookie" style attack. We often see “client=owa;action=viaproxy” in User Agent logs, which is indicative of a login to the Outlook web application through a proxy server. The proxy server acts as an intermediary between the user's device and the active directory authentication service. We also regularly see evidence of attackers attempting to re-sign in following the revocation of all session tokens for a user, Indicative that an attacker only ever had a session token rather than valid credentials; otherwise, they would have signed back in using the credentials they had, and at worst triggered an MFA request.
How likely is Payment redirection fraud?
There are several free tools that attackers can use to quite simply launch attacks like the above. Evilginx2 is one of many sophisticated phishing frameworks that is often used to deceive and steal sensitive information from users. It creates convincing login pages for various online services, tricking victims into providing their credentials. It then captures and stores the stolen data for malicious purposes. This tool can be employed by cybercriminals to conduct targeted and realistic phishing attacks, compromising personal and financial data.
Will MFA protect me from payment redirection fraud?
As organisations increase their coverage of MFA, attackers have begun to move to more sophisticated techniques to compromise accounts without having to satisfy MFA by capturing and replaying a token issued to a user that has already completed MFA and has access to corporate resources. This poses significant risks to organisations and defenders because the expertise needed to compromise a token is very low and hard to detect as the actor appears and acts like a legitimate user. Few organisations have sufficient defences to prevent such an attack.
Azure Active directory (AAD) and OAuth
Tokens are at the centre of OAuth 2.0, which Azure Active Directory (AAD) uses to facilitate secure authentication and authorisation of users and applications in the Microsoft ecosystem, providing a standardised way for users to access AAD-protected resources. When AAD issues a token, it contains information such as username, source IP address MFA and any privileges that the user has in AAD.
With traditional credential phishing, the attacker may use their compromised credentials to attempt a sign-in to AAD. As MFA is enforced here, the attacker would be stopped at this point unless the attacker can socially engineer the MFA code from the user. Attacker methodologies are evolving to keep up with modern defences.
Pass-the-cookie attacks are attacks whereby an attacker can bypass authentication controls by compromising browser cookies. Browser cookies are small pieces of data stored on a user’s computer by websites they visit. These cookies are used for various purposes, but importantly for us, their primary use is to maintain state of identity across different sessions. Two key takeaways from session cookies, the cookie is generated AFTER the MFA has taken place, and the cookie is accepted as proof of authentication without the need to know or provide a username or password. The attacker may also have additional attack vectors, such as personal email addresses or social media accounts that the user may have accessed on the same device/browser.
Outlook Web Application will trust session cookies and grant the actor complete access, and this can be evident in the sign-in logs have the conditional access status of “MFA requirement satisfied by claim in the token.”
Adversary-in-the-middle attacks go beyond traditional credential phishing by inserting malicious infrastructure between the user and the legitimate application the user is trying to access. When the user clicks the malicious link, the infrastructure can capture the user's credentials and the token as well as all communication between the legitimates server and the end user. Adversary in the middle attacks also route the user to the legitimate applications collecting information on route adding weight to the legitimacy of the attack. Once the attacker collected the user's token due to a lack of controls on the length of session, they can have indefinite access to the user’s emails.
Session tokens can last almost indefinitely so long as the user has not been disabled or the session tokens are revoked. Part of the AAD authentication cycle involves issuing Primary Refresh Tokens (PRTs.) PRTs in AAD are long-lived authentication tokens that enable Sign-On experiences for users across various applications and services. When a user initially logs in to an application using their AAD credentials, an Access Token and a Refresh Token are issued. The Refresh Token is used to obtain new Access Tokens without requiring the user to re-enter their credentials.
Can I issue a fresh session token?
Azure AD provides the capability to revoke a refresh token. Once a refresh token is revoked, it’s no longer valid. The user will be prompted to re-authenticate when the associated access token expires. Sign-in logs can show evidence of this revocation, whereby the attacker will fail to authenticate after losing the refresh token. This will identify if a user has been breached.
User Awareness Training
User awareness training with employees can act as a tough defence against cyber threats. Today, it's believed that the human factor remains one of the most vulnerable points of entry for cyber criminals. User awareness training equips individuals with the knowledge and skills needed to identify and thwart common cyber threats, such as phishing, social engineering, and ransomware attacks.
By investing in comprehensive user awareness training programs, organisations can empower their employees to make informed decisions, spot suspicious activities, and respond appropriately to potential security breaches. Such training fosters a culture of cyber security consciousness, making employees active participants in safeguarding sensitive data and company assets.
Through continuous education and reinforcement of best practices, users become the first line of defence, strengthening the organisation's overall cyber security posture.
Office 365 gives the option of preventing persistent sessions; such controls could stop an attacker from being able to stay logged in after the first session cookie was stolen. Thereby greatly reducing the amount of time that they have access to corporate data.
Administrators can set sign-in frequencies, which defines the period before a user is asked to sign in again when attempting to access a resource. Administrators can select a period (hours or days) or choose to require reauthentication every time.
Users will find little impact depending on the length of the session set typically 8 hours is sufficient to allow the user to work all day unimpacted before the sessions expire.
Conditional Access (CA)
CA is a security approach that controls user access to resources based on predefined conditions. It ensures that users are granted access to sensitive data, applications, or systems only when specific conditions are met. This technique often enhances security and prevents unauthorised access to critical resources.
To prevent phishing attacks that steal session cookies, CA can be effectively used in the following manner:
• MFA: By implementing conditional access policies that require MFA for access to certain applications or systems, even if an attacker manages to steal session cookies through phishing, they would still need additional authentication factors to gain access, significantly reducing the risk of unauthorised access.
• Geolocation Restrictions: Conditional access can restrict access to specific geographic regions. Access can be denied if a user's session cookie is used from an unexpected location, indicating suspicious activity possibly stemming from a phishing attack.
• Device Compliance Checks: Conditional access can verify if the user's device meets certain security requirements, such as having up-to-date software and antivirus protection. Access can be denied if the device is not compliant, preventing the use of stolen session cookies on insecure devices.
• Risk-Based Access Policies: Employing conditional access based on risk assessments can identify anomalous behaviour associated with phishing attacks. For instance, if a user's session cookie is used from an unrecognised device or IP address, the system can trigger a higher level of authentication or block access entirely.
• Time Restrictions: Setting time-based access policies can limit the validity of session cookies. If a session cookie is used outside the defined time window, access can be denied, reducing the opportunity for attackers to exploit stolen cookies.
When it comes to security checks, Cybaverse recommends checking the compromised user’s account for other signs of persistence.
These can include:
• Mailbox Rules – threat actors often create specific mailbox rules to forward or hide emails. These can include rules to hide emails in folders that are not often used. For example, a
threat actor may forward all emails containing the keyword ‘invoice’ to the Archive folder to hide them from the user or forward them to an external email address.
• Mailbox Forwarding – email forwarding may be configured to send a copy of all emails to an external email address. This allows the threat actor to silently retrieve a copy of every email the user receives.
• MFA Modification –there are instances of threat actors registering additional authentication methods against compromised accounts for use with MFA, such as phone numbers or authenticator apps.
To Sum Up
Payment redirection fraud constitutes a form of social engineering that is relatively simple for cyber criminals to initiate, and its consequences can be devastating for any business.
At Cybaverse, our experts are well trained and proficient at Imitating real-life threats and can help Identify weaknesses, whether through employee training or technical controls. If you're wanting to find out more, head to our social engineering page.