BACK

Increase in Phishing Attacks

Summary DigitalXRAID are currently observing ongoing phishing campaigns targeting business email accounts with a view to harvest credentials. Once credentials are harvested it appears that the threat actor utilises them for gathering further information and relies on password re-use behaviour to further compromise other business applications with the same account. At present, the ultimate goal …

  • 21 Jun 2018
  • DigitalXRAID
2 min read
Increase in Phishing Attacks

Summary

DigitalXRAID are currently observing ongoing phishing campaigns targeting business email accounts with a view to harvest credentials. Once credentials are harvested it appears that the threat actor utilises them for gathering further information and relies on password re-use behaviour to further compromise other business applications with the same account. At present, the ultimate goal of the attacker is not clear. However this type of activity is typical of Business Email Compromise attacks, where a threat actor will compromise accounts and gather information for later use to commit further attacks, financial fraud and targeted attacks.

 

Delivery

  • The observed emails are sent via open or compromised mail servers owned by legitimate organisations.
  • The suspicious emails use enticing subject lines (eg. COMPANY NAME – INVOICE PAYABLE).
  • The suspicious emails use the name of the initial phishing victim in the email address (eg. Bob[a]legitimatedomain[d]com) with an email signature depicting the initial victims legitimate contact details.
  • Various sample emails have been analysed by DigitalXRAID analysts and while using different phishing landing pages, have been determined as being part of the same campaign.

 

Exploit

  • The email samples analysed by DigitalXRAID include image links to (what appear to be) compromised websites that are used to host phishing pages for Dropbox, Smartsheet & other business SaaS providers.
  • When the victim unwittingly clicks the malicious link, they are presented with a replica login page of a legitimate SaaS provider that requests credentials to log in.
  • Once the victim gives up their credentials, the malicious page then prompts the user for their mobile telephone number to confirm their identity. It is assumed that these details are harvested for further compromise.
  • Once the victim has filled in both credential prompts, they are redirected to the login page of the legitimate SaaS provider, a technique used to try and evade user suspicion.

 

Actions

  • The specific actions of the threat actor are unknown at this point. However, it appears that the compromised credentials are used in some way to further compromise other acquaintance organisation via phishing much like the initial attack.

 

DigitalXRAID advise all clients, partners and associates to exercise caution when opening unexpected emails. As always, ensure that the sender is legitimate and trusted before following any links and opening any attachments.

 

No indicators of compromise have been included at this time due to ongoing investigations. DigitalXRAID Analysts continue to monitor the situation and will provide updates via this article should further details become available.

 

Stay vigilant.

Blog Details
  • 21 Jun 2018
  • DigitalXRAID

Newest Articles.

View all

Get a Quote

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you as soon as possible.
Close ×
price-popup-pattern
Close ×
price-popup-pattern
Close ×

Step 1 of 3

33%
  • Cyber Essentials Basic Pass Guarantee - £750

    Your Details

price-popup-pattern
Close ×

Step 1 of 3

33%
  • Cyber Essentials Basic Pay Monthly - £79 pcm

    Your Details

price-popup-pattern
Close ×

Step 1 of 2

50%
  • Cyber Essentials Plus - Get a Quote

    Your Details

price-popup-pattern
Close ×

Get In Touch

  • This field is for validation purposes and should be left unchanged.
price-popup-pattern
Close ×

Get A Quote

  • This field is for validation purposes and should be left unchanged.
price-popup-pattern
Close ×
price-popup-pattern

Buy Cyber Essentials

price-popup-pattern