A new phishing campaign is attempting to trick users into believing they’ve missed important emails, security researchers are warning.
The emails
The bogus email alerts look like they are coming from the recipient’s email domain, and falsely claim that due to a “Secure Message system” upgrade, important messages have been blocked.
To “release” (view) the emails, recipients are instructed to click on the “Move To Inbox” button/link and, if they do, they are taken to to a page impersonating a webmail login site.
Another variant of the email claims that messages have been put in “spam quarantine” and ask the user to log into their email via a provided link to “view the most update spam folder or blacklist sender.”
The spoofed emails (Source: Palo Alto Networks, Unit 42)
“The phishing pages are designed to trick the user by using trusted logos,” Palo Alto Networks researcher Reethika Ramesh shared.
To complete the illusion of legitimacy, the login page comes pre-filled with the recipient’s email address.
“When the user enters their password, it sends this data via an HTTP POST request to a malicious server. It then shows a fake ‘The login is invalid’ error message for 2 seconds and clears the password field. This is a known tactic to get users to re-enter their password, in case they mistyped it the first time,” she added.
The trick is repeated once more, and on the third login try, recipients are redirected to either to their real domain or to Google Search.
On some of the fake login pages there’s also a JavaScript file that collects the victim’s credentials and creates a data exfiltration URL – a Telegram Bot API endpoint – to send them to the attacker’s Telegram bot.
Malwarebytes researchers have also spotted similar emails and pinpointed another variant of the attack: “The phishing site’s code is heavily obfuscated, and credentials are harvested through a websocket. Cybercriminals love using websockets because they receive your details the instant you type them into a phishing site, and can even send prompts for additional information, such as two-factor authentication (2FA) codes.”
What should users do?
Some of these emails will probably evade email security filters and users should learn to avoid falling for these and similar tricks.
The general advice is to never click unsolicited email links, especially those contained in “urgent” emails, and check the URL of every login page before entering credentials.
If unsure, verify the legitimacy of a request by contacting your IT department or support via a known channel.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!