By Nathaniel Sagibanda, Cofense Phishing Defense Center

Threat actors use monetization schemes or fake payment promises to lure users and harvest credentials. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign imitating a well-known banking service, releasing fake remittance payment documents, in a bid to exfiltrate users’ personal data.

Figure 1 showcases the email from the “Director of Finance” along with a “Scheduled Wire Remittance Payment” in the form of a PDF attachment; this is the first stage within the attackers’ intrusion.

Hovering over the “Print Document” displays a link that fails to show even the slightest correlation with the intended bank. Typically the bank’s name would be embedded within the URL. However, this phishing campaign fails to do so. This demonstrates the importance of organizations providing education and training support, ensuring that a red flag would be recognized.Graphical user interface, text, application, email Description automatically generated

Figure 1 – Email

As we dive deeper, we noted the recipient’s name was not included. Instead a generic “Hello” had been supplied giving us a strong indication that this is a mass-spread phishing campaign. Furtheremore, the threat actor/s included the following phrases: “decommission the encryption tool,” “document needs to be access within 90 days from the date of the email,” “Email Security Powered by,” and “Copyright 2021” in the footer of the email. These examples are known as social engineering tactics used to gain the user’s trust, create urgency and exert pressure using high-level email security practices and deadline requirements.

Graphical user interface Description automatically generated

Figure 2 – Landing page

On accessing the embedded link, the recipient would be redirected to a cloned Microsoft login page showcased in Figure 2. On further inspection, there is a clear mismatch with Microsoft’s genuine URL.

Should users enter their credentials, the campaign then redirects to Google’s home page. As mentioned in previous blogs, similar campigns usually redirect the user to the legitimate Office[.]com webpage to construct a “genuine” experience. This may have been a mistake by the threat actor.