To make their activities more convincing recently, attackers have started exploiting already trusted-looking compromised websites instead of using fake domain names. This method makes it harder for users to become suspicious and makes it more difficult for automated security systems to detect malicious traffic.

Teams, Xfinity, and UAE Pass users by utilizing compromised WordPress sites.The most dangerous aspect of the attack is that email filters and users fail to notice the risk because the infrastructure is hidden within reputable sites. This situation provides cyber attackers with a significant stealth advantage.

Three main social engineering themes, such as "missed voicemail," "shared important document," or "UAE Pass login request," are used in the attack to deceive users.

The common point of all these scenarios is creating a sense of urgency in the user, forcing them to click the link. The attack process is completed in four stages: the deceptive email, an intermediate redirection (especially via skimresources[.]com), and finally, the fake login screen where information is stolen.  

Another strategy of the attackers is to hide malicious content not randomly on the sites, but in critical system folders like wp-includes or bin. This method makes the job of defense teams more difficult by allowing malicious files to blend in with normal site traffic. The IOC (Indicator of Compromise) addresses shared in the article reveal concrete examples of this stealthy concealment method.  

Consequently, this method emerges as a much more advanced version of classic phishing approaches. It is no longer sufficient to rely solely on domain reputation; user awareness, URL redirection analysis, and the proactive monitoring of even presumed safe sites have become a critical necessity for security.

Some of the precautions we need to take to protect against these types of attacks include:

• Do not open emails from untrusted sources.

• Use multi-factor authentication (MFA).

• Keep your system updated to the latest version at all times.

• Monitor login logs regularly.

• Track the security of mobile devices.

For detailed information, you can reach out to our experts at info@zerosecond.com.ae