With a distinguished career spent on the front lines defending multinational corporations from sophisticated cyber threats, Malik Haidar has a unique perspective on the evolving landscape of digital crime. Today, we’re exploring the anatomy of a modern, large-scale phishing operation, moving beyond the simple email scam to understand the intricate machinery behind it. We’ll discuss how attackers meticulously clone trusted brands, leverage highly automated infrastructure to evade detection, and utilize legitimate software to maintain a foothold in compromised systems. We’ll also delve into the shadowy business model of initial access brokers, who turn stolen credentials into a profitable enterprise.
Recent campaigns use lookalike domains and cloned portals to impersonate major financial firms. What are the technical steps an attacker takes to create such convincing fakes, and what are the most common red flags that both users and security systems frequently miss?
It’s a depressingly streamlined process. An attacker starts by registering a domain that’s visually or typographically similar to a real brand—think an extra letter or a subtle misspelling. Then, they simply scrape the live website, copying its entire visual identity, from the CSS style sheets to the logos and login forms. The backend is then rigged to capture any credentials entered, not to log you in. The real trick is how they blend in. For instance, they’ll obtain a legitimate SSL certificate from services like Let’s Encrypt, often just hours after registering the domain. This gives the user a false sense of security with the little padlock icon in the browser. The biggest red flag that’s often missed is the domain’s age and the certificate’s issuance date—a brand new site for a hundred-year-old bank is a dead giveaway, but few people know how to check that.
Attackers are building highly automated infrastructure with features like short-lived SSL certificates and wildcard DNS records. How does this combination allow them to scale their operations so rapidly, and what specific challenges does this “pop-up” infrastructure create for security teams trying to block them?
This is what makes modern campaigns so difficult to combat. The wildcard DNS is the engine of their scalability. With one domain, say “my-usaa-portal.com,” they can instantly generate an infinite number of subdomains like “login.my-usaa-portal.com” or “verify.my-usaa-portal.com” without any extra effort. They then automate the process of getting short-lived SSL certificates for each. This creates a nightmare for security teams. We’ve seen operations with over 150 active domains at once. Traditional security relies on blocklists, but by the time you identify and block one of these “pop-up” domains, the attacker has already spun up ten more. It’s a game of whack-a-mole where the moles are multiplying faster than you can swing the hammer, and it’s designed to exhaust an organization’s defensive resources.
After stealing credentials, some attackers use Telegram bots for data exfiltration and then install legitimate remote access software like LogMeIn. Could you walk me through why an attacker chooses these specific tools over custom malware, and how this complicates detection for a typical company?
It’s a brilliant and insidious tactic called “living off the land.” Custom malware is noisy; it has unique signatures that antivirus and EDR systems are built to detect. But tools like LogMeIn are legitimate, signed applications used by IT departments everywhere. When an attacker deploys it, it looks like normal administrative activity. Security software is far less likely to flag a whitelisted tool. Using Telegram for data exfiltration is equally clever. It’s an encrypted, popular messaging app, so the traffic blends in with everyday communications, making it hard to spot the stolen credentials being sent out. This combination means the attacker isn’t tripping the usual alarms, allowing them to establish persistent, unattended access to a machine long after the initial phish, all while flying completely under the radar.
The threat actor GS7 reportedly acts as an initial access broker, selling compromised accounts to others. Can you detail this business model? For instance, how is access packaged and priced, and what kind of cybercriminals typically purchase this access for their own campaigns?
The cybercrime ecosystem has become incredibly specialized. Actors like GS7 are the wholesalers. They don’t necessarily conduct the final, major attack themselves. Instead, their entire operation is geared toward gaining that initial foothold—the stolen username and password, or better yet, persistent remote access to a machine inside a Fortune 500 company. They then package this access and sell it on dark web forums. The buyers are often ransomware gangs, data thieves, or even state-sponsored groups who are willing to pay a premium to bypass the difficult first step of an attack. The pricing depends on the value of the target; access to a major financial institution is worth far more than access to a small business. We saw one of GS7’s crypto wallets receive around 0.28 BTC, which is a significant sum, showing just how lucrative this initial access market is.
What is your forecast for the evolution of brand impersonation and phishing campaigns?
I see these campaigns becoming even more personalized and automated, fueled by AI. Instead of generic phishing emails, attackers will use AI to craft highly convincing, context-aware lures tailored to individual employees based on their roles and public information. The infrastructure will become even more ephemeral, with domains and servers that exist for only minutes, not hours, making detection and blocking nearly impossible in real time. We’ll also see a deeper integration of legitimate platforms—not just remote access tools, but also cloud services like OneDrive and SharePoint, which will be used more frequently to host malicious payloads and exfiltrate data, further blurring the line between malicious and legitimate activity. The core challenge won’t be just spotting a fake website, but distinguishing a malicious action from a normal one within the trusted tools we use every day.
