Advanced Phishing Campaign Targets Employee Portals with Sophisticated Techniques

In a disturbing revelation, a highly sophisticated phishing campaign targeting employee and member portals has been uncovered, utilizing advanced server-side validation techniques to evade detection. This operation, primarily designed to steal sensitive credentials, relies on phishing kits based on PHP scripts and has been traced back to Chang Way Technologies Co. Limited, a company based in Russia. The latest developments in this phishing attack have raised alarms in the cybersecurity community, as attackers deploy increasingly clever tactics to bypass security measures and avoid detection.

Phishing Campaign Unveiled: A New Era of Cybersecurity Threats

The phishing operation, first identified through an investigation by Malwarebytes and Silent Push researchers, was initially triggered by a wave of attacks against Lowe’s employees. These malicious efforts quickly evolved into a more widespread scheme, utilizing PHP-based kits that cloned legitimate login pages to harvest credentials from unsuspecting victims. By leveraging server-side validation techniques, the attackers are able to bypass traditional detection methods.

Using the HuntSQL Crawler dataset, researchers identified several phishing domains linked to the attack, particularly those containing “xxx.php” within the HTML structure and “/online” in the URL paths. One of the most notable domains, myinfoaramapay[.]com, was found impersonating Aramark’s MyAccess portal, creating an almost identical replica of the legitimate site to steal user credentials before redirecting victims to the actual Single Sign-On page.

Sophistication of Techniques: Server-Side Validation and 2FA Bypass

What sets this campaign apart from previous phishing attempts is its use of advanced server-side validation. In contrast to earlier phishing attacks, where credential validation occurred client-side, this attack uses a “check.php” endpoint to handle credential validation on the server side. This shift has made it significantly harder for security tools and researchers to detect the attack, obscuring key detection points that were previously relied upon by defenders.

The campaign has also incorporated sophisticated techniques to bypass two-factor authentication (2FA), further enhancing the success rate of the attackers. For example, a domain impersonating Highmark healthcare (hignmarkedmemb[.]com) was discovered with advanced functionality simulating a complete 2FA workflow. The attackers employ Material Design styling to replicate enterprise UI frameworks and use JavaScript-controlled OTP submission through a function called “getUpdates2fa()”. After the credentials are submitted, the script constantly polls the “check.php” endpoint to validate them server-side, greatly reducing the chances of detection.

These updates represent a significant evolution in phishing tactics, as attackers have adapted their methods to exploit vulnerabilities in the 2FA process, which many security systems rely on for protection.

Phishing Infrastructure: Multiple Domains, Multiple Targets

The phishing infrastructure supporting this campaign is extensive, with at least 12 domains hosted on the IP address 80.64.30[.]101. These domains target a range of organizations, including AT&T, AFLAC, and various corporate portals. In addition, a second server at IP address 80.64.30[.]100 hosts even more phishing domains, including those impersonating Canadian E-Services, United Airlines employee portals, and other enterprise login templates.

The primary hosting infrastructure for this attack has been traced to Chang Way Technologies Co. Limited, a Hong Kong-registered ASN previously associated with malware distribution and exploitation activities. This connection further emphasizes the sophisticated and well-organized nature of the operation.

A Growing Threat: Evolving Attack Strategies

As the tactics used in phishing campaigns continue to evolve, it’s clear that these cybercriminals are increasingly targeting high-value organizations. The goal is to gain initial access to corporate environments, where stolen credentials can be leveraged for internal pivoting and potential abuse. This strategy often allows attackers to bypass security alerts, making it harder for organizations to respond to the breach in a timely manner.

Security experts recommend that organizations implement stronger authentication measures and closely monitor any suspicious POST requests to PHP scripts like “xxx.php” and “check.php”. These scripts, particularly when paired with domains imitating well-known enterprise portals, are strong indicators of phishing activity. Additionally, it is essential to track any unusual request patterns, especially those with “type=3” parameters, as these could indicate potential OTP phishing attempts.

What Undercode Says: Evolving Phishing Campaigns and the Need for Vigilance

The phishing campaign described in the article serves as a clear reminder of how cybercriminals are continuously refining their techniques. The shift from client-side to server-side validation is a particularly alarming development, as it represents a major leap forward in stealth and sophistication. By making it harder for security tools to detect their activities, attackers have found a way to remain under the radar, even when they are operating at scale.

Furthermore, the ability to bypass two-factor authentication (2FA) is an example of how attackers are adapting to common security measures. With 2FA being an essential tool for securing online accounts, any method that can circumvent it represents a serious risk to both individual users and organizations. This highlights the importance of not relying solely on 2FA and ensuring that additional safeguards, such as behavioral analytics and anomaly detection, are in place to complement traditional security measures.

The fact that these attacks are targeting employee portals is also significant. Employee credentials often serve as a gateway into internal systems, making them a prime target for cybercriminals seeking to infiltrate organizations. Once attackers gain access to employee accounts, they can move laterally within the network, often undetected, which is why monitoring for unusual login patterns and activities is crucial for organizations.

Lastly, the infrastructure behind these attacks — with domains hosted on IPs tied to malicious activities — underscores the importance of threat intelligence sharing within the cybersecurity community. Collaboration between researchers, security teams, and organizations can help identify new phishing domains and attack vectors before they cause significant damage.

Fact Checker Results

Credential Stealing: The use of PHP-based phishing kits to steal credentials through cloned login pages is consistent with well-known phishing methods.
Server-Side Validation: The shift to server-side validation is a new and sophisticated tactic that increases stealth, as attackers are no longer relying on easily detectable client-side methods.