Threat actors are using a precisely focused phishing effort to obtain business and financial information from victims by imitating Pfizer. Unlike impersonating a fictitious organization, phishing actors prefer to target well-known brands since their odds of success are significantly higher.
Pfizer is a renowned pharmaceutical business that has received much attention for developing one of the few COVID-19 mRNA vaccines now accessible. In a recent report by INKY, researchers explain that threat actors are imitating Phizer in a phishing email operation that began around August 15, 2021.
The perpetrators of this phishing attempt are skilled at merging “clean” PDF downloads with freshly created domains that look to be official Pfizer online spaces. Then, in order to get around email protection systems, they create email accounts from these domains to send phishing emails.
Namecheap, which allows cryptocurrencies as a payment option, was used to register the domains, allowing the actors to stay anonymous. INKY has witnessed the following examples:
- pfizer-nl[.]com
- pfizer-bv[.]org
- pfizerhtlinc[.]xyz
- pfizertenders[.]xyz
The first, pfizer-nl[.]com, would lead you to believe it’s the official internet gateway of Pfizer Netherlands, where the company does have a presence.
Urgent quotes, invitations to bid, and industrial equipment supply-related issues are common subject lines. Due to the rapid propagation of new COVID-19 variations, phishing actors have little trouble instilling a feeling of urgency in these emails.
The actors employ a professionally-looking 3-page PDF document to describe due dates, payment terms, and other information that constitute a valid request for a quote in the majority of the 400 samples examined by INKY analysts.
The PDF is free of malware-downloading links or phishing URLs that would alert email security software, as well as any errors that would reveal the scam. On the other hand, the receivers are asked to submit their quotations to the fictitious Pfizer domain addresses, like quote@pfizerbvl[.]com or quotation@pfizersupplychain[.]com.
While the campaign’s exact purpose is unknown, the fact that payment terms are contained in the PDF suggests that the threat actors will ask the recipient for their banking information at some point.
If payment information is given, the attackers may exploit it in future BEC efforts aimed at the consumers of the targeted firm. In addition, the actors do not ask for personal information on the initial encounter, which allows the receivers to reduce their defenses.
Responding to these emails adds to the victim’s deceit, as they are hoping to acquire a lucrative contract with a prominent business. When getting emails with unexpected bidding requirements, it’s usually better to call the company’s main number and talk with the appropriate person. You can disregard the requests and delete the emails if the individual does not work at the company or is ignorant of them.