Holidays and global events provide timely material for threat actors to use as phishing lures. This technique is a common practice, and can sometimes be convincing to targets, especially just before a major holiday. On Sunday, August 19, 2018, Cofense Intelligence™ received an Eid-themed phishing email. Eid al-Adha, the Islamic festival/holiday, began this week.
While the phishing email is generic, threat actors use a narrative claiming to deliver an “Eid Ticket” for an Eid event purportedly from the accounting department of Tickets.com. To view the tickets, the victim is tasked with downloading the attached .zip archive. But instead of tickets, the file contains an executable sample of the Agent Tesla keylogger. This malware also acts as an information stealer capable of decoding and exfiltrating data from a number of applications, such as Google Chrome, Firefox FileZilla, and Steam.
The primary task of Agent Tesla is to exfiltrate sensitive credentials from the victim’s machine to the threat actors’ command and control location, and will take screenshots of the victim’s machine during the infection. In this sample, Agent Tesla exfiltrates stolen credentials via email to storeglis[@]lordshotels[.]com.
Figure 1: Eid al-Adha phishing email for unspecified Eid event
In another holiday-themed phishing scenario, Cofense Intelligence reported a Fourth of July holiday phish on July 3, 2018 distributing the Geodo financial crimes malware. Holiday-themed phishing lures are a classic strategy that can often be effective. Organizations and enterprises must develop a strong defense strategy to combat these enticing lures. It is important to educate and empower users to report suspicious emails that use this method of phishing lures. Remember, computer users are the last line of defense against phishing attacks.
To learn more about resiliency to all types of phishing attacks, view the most recent Cofense™ Phishing Resiliency and Defense Report.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.