Newly discovered ‘Heatstroke’ phishing campaign targets victims to steal PayPal credentials and credit card information

• The attackers have hosted two different phishing kits for Amazon and PayPal, although the tactics and techniques used are the same.
• The stolen credentials are transferred to an email address using steganography, a popular method used for hiding or embedding data into an image.

A sophisticated multistage phishing campaign dubbed as “Heatstroke” was recently identified by security researchers. The phishing technique was identified to employee more sophisticated methods apart from classic techniques such as hiding malicious URLs inside legitimate website address and using diverse social engineering techniques. The threat actors behind this campaign are found to target and steal PayPal and Credit Card information.

The campaign was named “Heatstroke” after a variable found inside the phishing kit’s malicious code.

Who discovered this phishing campaign?

Security researchers from Trend Micro discovered this sophisticated phishing campaign and made it public via a detailed technical analysis report. The report also includes a deep dive into the different methods used by the malicious payload that steals information from victims.

How do Heatstroke threat actors choose their targets?

The threat actors behind the Heatstroke phishing campaign are found to do a considerable amount of research on potential victims before selecting them as targets for the phishing attack. Security researchers pointed out that, “They aim for their victim’s private email addresses, which they most likely collected from the victim’s address list, which also includes managers and employees in the technology industry.”

It was also found that the threat actors focused on Gmail addresses as they can gain access to the Google Drive and further hack the Android phone linked to the email address.

Multistage attack

• Heatstroke uses a multistage approach as contrary to other typical phishing attacks that use a single landing page.
• The attackers make all efforts to hide their trails such as masking the source location of the phishing kit, constantly changing bypass filters and provides feasibility to block certain IP ranges, crawling service, vulnerability scanners, and more.
• The attackers seem to provide this phishing kit as “phishing-as-a-service” and may even have customers, operators, and even developers.
• The phishing attack will be generated based on the victim’s country of origin.

Infection chain

The below image from the Trend Micro report shows the different phases of the Heatstroke phishing attack. Researchers also pointed out that the infection chain may change due to user or behavior properties.

Image 1: Heatstroke infection chain (Credits: Trend Micro)

Two different phishing kits for Amazon and PayPal

The stolen credentials are transferred to an email address using steganography, a popular method used for hiding or embedding data into an image. Researchers identified two different phishing kits, one for Amazon users and a second one for stealing PayPal credentials. Both these kits shared the same tactics and techniques such as the hosting website, type of information stolen, and also similar masking techniques. This also leads to the conclusion that both kits could be of the same origin.

Bottom line

Heatstroke is a perfect example to highlight the fact that phishing attacks no more stick to classic techniques. The multistage capabilities, the ability to hide trails, and other sophisticated techniques suggest that users will have to be much more careful when encountering phishing emails.

“The fact that Heatstroke’s developer is apparently adopting the phishing-as-a-service business model means other cybercriminals will bank on this phishing kit for their own attacks to steal PII and payment data,” said the researchers.