Spearphishing emails sent from a Kaspersky email account were disguised to seem like they originated from a Kaspersky email address.
Although phishing emails came from sender addresses such as firstname.lastname@example.org, no one from Kaspersky sent them, the security firm stated in a statement on Monday. Rather, Kaspersky’s genuine, albeit stolen, Amazon Simple Email Service (SES) token was used to send the emails.
Amazon SES is a flexible email service that allows developers to send email from any app used for marketing and bulk email communications.
As per Kaspersky’s advisory, “this access token was granted to a third-party contractor during the testing of the website 2050.earth.”
The SES token was promptly revoked after Kaspersky discovered a significant rise in recent Office 365 credential spearphishing operations – attacks that might be emanating from several threat actors. Phishing attempts frequently target Office 365 credentials.
The advisory indicated that the theft caused no damage. There wasn’t any unauthorized database access, server compromise, or any other malicious activity at 2050.earth and related services.
Phishers use these emails to send individuals to carefully constructed phishing sites so they may submit credentials, believing they’re doing so for a genuine cause. They sometimes trick people by imitating a trustworthy organization (like Kaspersky), application, or institution.
The cybercriminals who devised the Kaspersky-themed plan did not try to pass themselves off as Kaspersky personnel. Instead, phishing emails are usually disguised as “fax notices,” leading victims to phony websites that capture Microsoft’s online services credentials. It’s not the first time the old “fax alert” jingle has been received: In December 2020, a campaign that employed the same email con also targeted Office 365 credentials.
The phishing emails from Kaspersky were sent from various ostensibly Kaspersky addresses, and they came from a variety of domains, including Amazon Web Services architecture.
The phishing efforts use a phishing kit called “Iamtheboss” by Kaspersky researchers, which is used in combination with another phishing kit called “MIRCBOOT.”
MIRCBOOT is one of the phishing kits discovered by Microsoft lately as part of a large-scale, well-organized, sophisticated phishing-as-a-service (PhaaS) operation dubbed BulletProofLink by the cybercriminals.
MIRCBOOT and the other phishing kits provided on BulletProofLink allow would-be cybercriminals to build up websites and acquire domain names to begin phishing campaigns, posing as, for example, employees of a security agency.