By: Lorenzo Sampang, Cofense Phishing Defense Center
In today’s day and age, e-gift cards have become a popular substitute for traditional gifts. This is because they are instantly deliverable, require no wrapping, and allow the recipient the freedom to choose something they truly want or need. However, this convenience can sometimes recipients to overlook the legitimacy of the source. Threat actors are able to take advantage of this kind of behavior by sending fraudulent emails disguised as genuine gift cards from trusted sources. These scams are designed to manipulate emotions and trick victims into providing sensitive information under the guise of redeeming a gift.
The Cofense Phishing Defense Center (PDC) has recently identified a new credential phishing campaign that uses an email disguised as an Amazon e-gift card from the recipient’s employer. While the email appears to offer a substantial reward, its true purpose is to harvest Microsoft credentials from unsuspecting recipients. The combination of the large monetary value and the appearance of an email seemingly from their employer lures the recipient into a false sense of security that leaves them unaware of the dangers ahead.
.PNG "Figure1-(3).PNG")
Figure 1: Malicious Email
The body of the email, illustrated in Figure 1, demonstrates that the threat actor disguises their malicious intent by sending an email spoofed to appear as a “Reward Gateway” message containing a fake Amazon gift card URL. The large $200 value of the “eGift” card will tempt the recipient into redeeming it by simply clicking on the provided button, or by copying and pasting the given URL into their browser. To further convince the recipient of its legitimacy, the email frames the eGift card as a reward from their employer for their outstanding work performance. With these appreciative words, the victim is left unaware that the eGift card is just a facade leading to a credential phishing attack.
.PNG "Figure2-(3).PNG")
Figure 2: Infection Page
After the recipient visits the provided URL, they will be redirected to the fake Amazon gift card redemption site, presented in Figure 2, which prompts the victim to input their email address to unlock their eGift card. The first indicator that something is malicious here comes from the domain “activationshub[.]com”, which was found to be only a few days old at the time of discovery. In addition to being very new, the “activationshub[.]com” domain has no ties to Amazon or any other services it provides. This domain is designed to mimic the Amazon eGift card redemption process as closely as possible to maintain the illusion that the recipient is accessing a safe and legitimate website as we transition to the last part of the phishing attack.
.PNG "Figure3-(3).PNG")
Figure 3: Final Phishing Page
Once the recipient submits their email address, they will be redirected to a phishing page, as shown in Figure 3. The phishing page is well-disguised as a legitimate Microsoft login site, once again prompting the victim to input their credentials. Legitimate Microsoft Outlook login pages should be hosted on domains belonging to Microsoft (such as live.com or outlook.com), but as you can see in Figure 3, the domain for this site is officefilecenter[.]com, which was created less than a month before the time of analysis.
Credential phishing emails such as these are a perfect example of the various ways that threat actors can exploit the emotions of the recipient. Whether it is the theme of phish, the content within, or the time of the year, threat actors will utilize anything they can to make sure you do not catch on until it's too late. The Cofense PDC is well-equipped and has advanced tools for identifying and limiting threats to keep our clients safe. Schedule a demo today to learn more.
| Indicators of Compromise | IP |
|---|---|
| hXXps://egift[.]activationshub[.]com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/ | 104.26.11.204 |
| hXXps://sso[.]officefilecenter[.]com/signin?sso_reload=true# | 104.26.1.222 |
All third-party trademarks referenced by Cofense whether in logo form, name form, product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.