The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.
“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.
Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.
On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.
On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by the same threat actor.
On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.
As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.
By Jerome Doaty, Zakari Grater, and Brenda Gooshaw Samson
Technology is an important part of any phishing defense, especially perimeter tech designed to filter emails. But these systems, even those billed as “next-gen email security platforms,” don’t catch everything. Some phishes always get through.