On December 27, 2019, Microsoft on its website published a report informing the world about North Korean hacker groups attempts to hack thousands of Microsoft user accounts. This hacker group, popularly known as “Thallium” has tried to steal sensitive information from Microsoft user’s email accounts.
Microsoft has filed a court case against this hacker group in the U.S. District Court for the Eastern District of Virginia. Upon investigation, the court has given Microsoft permission to take control of 50 domains that thallium uses to conduct unlawful operations. Since this move, the fake websites that thallium used will longer be in operation.
Apparently, there are some unexpected and highly-ranked North Korean officials involved with this hacker group. For many Americans, Japanese and South Koreans, this news is not something new. Just about a year ago, CNN published a report which linked North Korean hackers to several bank hacks around the globe. A Russian cybersecurity firm Kaspersky had initiated the investigation of this matter.
How Did Thallium Carry out These Cyber Attacks? What Techniques Did They Use This Time Around?
Thallium group members used a popular data collection technique known as “spear-phishing”. Spear phishing is a fraudulent practice of sending emails superficially from a known or trusted sender in order to collect confidential information such as login credentials, banking information, or personal details (like birth date, full name, address, and much more).
They created an email with a fake Microsoft account that appeared a lot like the real one. If you look closely in the above image, the character “m” in the email address is actually “r” and “n” adjacent to each other; they appear like “m”. These emails have a catchy and authentic-looking subject line like “Unusual Sign-In Activity”. Also, the font used (Segoe UI) in the body of the email is the same as the one used in Microsoft’s products.
Once a user clicks on the link provided in the email, it takes them to another website where they asked to reset their password. Here, the hackers capture their Microsoft account’s username and password. The members of Thallium later use this login credentials to review emails, contact lists, and calendar appointments.
Way worse than that, they also create a new mail forwarding rule in the victim’s account. This way, the Thallium-controlled accounts get synced with the victim’s email inbox. Hence, if you mistakenly have clicked on the fake email sent by Thallium on 27th December 2019, do not worry. Microsoft has seized all 50 domains used by Thallium to run this operation. Your data is safe and secure.