There are no safe spaces on the internet. Cybercriminals will exploit any and every opportunity to launch attacks. This has been demonstrated again by researchers at SlashNext, who have uncovered a new credential harvesting campaign. This attack leverages the specialty service Gravatar to exploit trust in well-known brands such as ProtonMail, AT&T, and Comcast Xfinity. The sophisticated phishing tactic crafts convincing fake profile update requests to evade security scrutiny and increase success rates. As cybercriminals improve their attacks, organizations and individuals must also improve their defenses to thwart the attacks.
Leveraging Gravatar
Gravatar, a shareable global profile, acts like a digital business card. It allows people to quickly, consistently, and seamlessly share their profile which is linked to an email. There are over 200 million Gravatar profiles, and many websites and web services are able to accept Gravatar identities.
A new Profiles as a Service (PaaS) function was introduced in early 2024, which allows web developers to integrate comprehensive user profile data into their applications. Through the use of an API, businesses can manage user profile data to offer personalized interactions, thus fostering improvements in e-commerce, customer relations management, and other services. This service has a domain name capability that allows users to link any domain name to their public profiles.
Cybercriminal Deception and Manipulation
Threat actors have initiated new campaigns to leverage Gravatar’s new capability. Lawrence Pingree, VP at Dispersive, highlights that this is to be expected. “Hackers will constantly adapt their tactics to stay ahead of security defenses.” He also points out that phishing remains the primary cause of data breaches. This specific credential harvesting attack also begins with phishing emails.
The phishing emails are crafted to purportedly originate from a well-known and respected company requesting the user to log in to their Gravatar profile with the company to verify or update their profile. Stephen Kowski, Field CTO for SlashNext, pointed out in the blog announcing this attack that “whether a ProtonMail interface, a telecom login page like AT&T’s, or a Comcast Xfinity portal, these impersonations are designed to be as convincing as possible, increasing the likelihood of users falling for the scam.” Mimicking well-known brands that command instant trust, use of a legitimate infrastructure, such as Gravatar, and unique customization increases the likelihood of users being tricked into providing login information to a bad actor.
With this ruse, it is possible for attackers to gain access to the victim's user profile. By compromising the cloud-based profile, attackers can harvest the sensitive customer data which may be useful in future exploitation efforts.
Preventive Measures
There are a number of steps that can be taken to mitigate the threat from this and most phishing-based attacks. “Organizations need to adopt a multi-layered approach to security, combining technology with strong policies and employee education,” according to Pingree. He also emphasized that “security needs to focus on preemptive cyber defense technologies instead of being so reliant on detection and response.”
Users need to remain alert for phishing. A practical safeguard people can take is to always be cautious with emails, especially when receiving emails requesting logins. It is important to verify the URL if asked to click on a link. In most cases, it is more secure to manually enter a website address and not rely on an embedded link. Users should use unique passwords to prevent attackers from accessing multiple accounts if one password is compromised. Users should enable two-factor authentication (2FA) whenever possible.
The use of a secure browser or security extensions is a growing requirement. There are a number of products that protect users from malicious phishing and social engineering payloads and dangerous websites by identifying messages that are criminal in nature. Some of these types of products can identify impersonated brand images and logos. This feature would be especially useful against the Gravatar harvesting campaign. There are many companies providing some level of browser security. Three examples are SlashNext Browser Phishing Protection, Perception Point Advanced Browser Security extension, and Menlo Security HEAT Shield.
Last Word
Trust in internet services is constantly being challenged. Impersonating and exploiting customer trust in a service as benign as Gravatar is another example of the level of activity cybercriminals are operating at. People must remain vigilant that any email they receive may not be what it appears to be. Organizations also need to strengthen their defenses. For example Gravatar supports two-step authentication and offers a capability for users to report on abuse, including impersonation.
In addition to improvements in vigilance and security awareness, technological solutions need to be deployed to recognize and prevent attacks that leverage cloud services. SlashNext’s Kowski reiterates that the browser level, where attacks occur, has become a crucial focal point in defending against evolving threats. The bottom line is organizations and individuals must become proactive in their security efforts to combat the constantly evolving threat environment.
