Sneaky Credential Phishing Campaign Discovered By Researchers

Dark web security specialists Flashpoint has detected a credential phishing campaign that had a low detection rate.

The campaign seems to have originated out of Western Africa due to the originating IP addresses of the phishing emails, as well as an analysis of the scammers tactics, techniques, and lack of operational security.

Flashpoint warned that the campaign relied on malicious PDF files that contained embedded links. These links redirected potential victims to credential-harvesting phishing sites.

Unsophisticated Practices

“In general, business email compromise (BEC) scams are widely viewed as a type of cybercrime that necessitates relatively minimal technical ability,” said Ronnie Tokazowski, senior malware analyst at Flashpoint.

“Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams … towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another.

“Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity. The campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites.”

According to Tokazowski, the scammers sent seventy-three malicious PDFs in credential phishing campaigns between 28 March and 8 August this year.

“These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organisations, real estate firms, and churches, with the goal of harvesting user credentials,” he warned.

The way the scam would work is the potential victim would receive a malicious PDF containing a malicious link. If they opened the PDF, the potential victim would be presented with a prompt to view a secure online document. If the victim then clicked this link, they would be redirected to a phishing website to input their login credentials.

Login Harvesting

Essentially, at this stage the phishing page would present the potential victim with several options to “download” the file. They are asked for login credentials for their organisation. And once a victim enters their login credentials, the script redirects the victim to a document or web page owned by the targeted organisation.

“If valid credentials were submitted, the actors behind the phishing campaign would harvest them,” wrote Tokazowski. “Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts.”

And Tokazowski warned that despite western African being considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion  in fraud in the last three years.

Loading ...

Phishing Campaigns

In July Barracuda warned that spear phishing campaigns should be receiving attention, despite all the hype about ransomware of late. A study released in April for example found that 70 percent of UK universities have fallen victim to a phishing attack in the past.

Google and Facebook have also admitted to being tricked out of more than $100 million (£77m) in such campaigns.

Indeed, such attacks were one of the most prominent threat vectors in 2016, a trend which has continued into 2017 as the likes of Netflix, McDonald’s and even the Saudi Arabian government being targeted.

Quiz: Cyber security in 2017

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 mins ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

5 hours ago