Greatness: Cybercriminals Now Have Access to The New Phishing-as-a-Service Platform

Greatness - The New Phishing-as-a-Service Platform

Have you heard of the new phishing-as-a-service (PhaaS) platform called Greatness? Unfortunately, cybercriminals have. They’ve been using Greatness to target business users of the Microsoft 365 cloud service since mid-2022.

With Greatness, cyber criminals can easily create and launch phishing attacks, lowering the bar for entry into the world of cybercrime.

“It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page.”

Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages,” posted Cisco Talos researcher Tiago Pereira.

The impact of Greatness has been widespread, affecting companies in various industries including manufacturing, healthcare, and technology.

The majority of attacks have been reported in the U.S., the U.K., Australia, South Africa, and Canada. with a spike in activity detected in December 2022 and March 2023.

Phishing kits like Greatness offer malicious actors, a cost-effective and scalable one-stop shop, making it even possible for script kiddies to design convincing login pages for a variety of online services and bypass two-factor authentication (2FA) protections, which can be challenging to overcome otherwise.

Summary of service componet interaction in Greatness (Phishing-as-a-service)

Notably, the authentic-looking decoy pages function as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.

Attack chains start with malicious emails that contain an HTML attachment. When opened, the HTML attachment executes obfuscated JavaScript code that sends the user to a landing page that asks for their password and MFA code and has already pre-filled the recipient’s email address.

Once the victim enters their login credentials and tokens on the phishing page, the information is immediately forwarded to the affiliate’s Telegram channel.

The AiTM phishing kit also comes with an administration panel that enables the actor to configure the Telegram bot, keep track of stolen credentials, and even build booby-trapped links or attachments.

What’s more, each affiliate using Greatness is required to have a valid API key to access the phishing page. This key serves several important functions, such as limiting access to only authorized users and preventing unwanted IP addresses from viewing the phishing page.

The API key also enables the phishing page to pose as the victim and communicate with the actual Microsoft 365 login page behind-the-scenes, further enhancing the authenticity of the attack.

Greatness Target organization by sector

“Working together, the phishing kit and the API perform a ‘man-in-the-middle’ attack, requesting information from the victim that the API will then submit to the legitimate login page in real-time,” Pereira said.

“This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA.”

These findings are especially concerning as Microsoft has recently implemented new measures to strengthen its 2FA protections. Specifically, as of May 8, 2023, Microsoft is now enforcing number matching in Microsoft Authenticator push notifications.

This is a crucial step to prevent “prompt bombing” attacks, where attackers flood users with repeated push notifications to wear them down and gain access to their accounts.

By matching the numbers displayed in the push notification with those on the login screen, Microsoft hopes to make it more difficult for attackers to carry out this type of attack.

Read also: Protecting Yourself from Ransomware Attacks (Tips and Best Practices)

While these changes are a positive step towards improving online security, it’s still important for users to remain vigilant and take additional steps to protect their accounts from phishing attacks.

Scroll to Top