The Cofense Phishing Defense Center (PDC) reported a new phishing campaign, during which an attacker uses monetization schemes to lure users and steal their credentials. This campaign was observed imitating a well-known banking website.
During the first stage of the attackers’ intrusion, victims received emails that purported to be from the “Director of Finance” and contained a “Scheduled Wire Remittance Payment” in the form of a PDF attachment.
Typically, in phishing emails, the bank’s name would be embedded within the URL to add legitimacy. However, Cofense researchers noticed that the link that appears when hovering over the “Print Document” button is not related to the expected bank. This demonstrates the importance of organizations providing proper training to their staff, researchers say. Training would ensure that such a red flag would be recognized.
The email did not contain the recipient’s name. Instead, it used a generic “Hello” salutation in the body of the message. This is another red flag.
The attackers also included various phrases which are known social engineering lures and are used to gain the trust of users by creating urgency and pushing deadlines. Among these were “decommission the encryption tool,” “document needs to be access within 90 days from the date of the email,” “Email Security Powered by,” and “Copyright 2021” in the footer of the email.
Upon clicking the link, the recipient would be redirected to a fake Microsoft login page. An attentive user would notice a clear mismatch with Microsoft’s genuine URL.
Should users enter their credentials, attackers then redirect the victim to Google’s homepage, instead of the legitimate Office[.]com webpage to create a feeling of a “genuine” experience. Researchers say this was another mistake on the part of the threat actor.
“Leveraging a legitimate business process makes the user more likely to act on it unless they’re paying keen attention to the details. Threat actors use these kinds of psychological, personlized funds-related tactics to send out attacks. Although this is one of the commonly-used tricks for phishing, it still works to lure the user,” Cofense concluded.