Cloud-based security vendor Inky has detailed two new phishing campaigns that use Covid as a lure to get a response from victims. Those behind the phishing attempts using the Campaign Monitoring and Mailchimp services to spread their message.
There are several similarities between the attacks. Both attacks seek to fool users into entering their enterprise credentials. They also exploit hijacked email accounts to send the emails.
The Campaign Monitor case uses the lure of a fake COVID-19 Benefits Program. It suggests that there is cash assistance of up to $5,000 available to everyone and employees. The use of the work employees might suggest this is something supported by their employer. Victims are asked to click on the Individual Assistance Program link and complete the form to apply for the money.
The link takes the user to a login page that asks for email, user name and pass word. That’s right, pass word, not password. The Inky blog suggests that this might have been an attempt to avoid detection or just poor grammar. Unsurprisingly, the form does not log the user into anything. It’s not meant to. It’s done its job by harvesting those user credentials.
This attack is similar in that it starts with an email about Covid vaccinations. The link here suggests that the user is responding to a survey. The email also appears to come from the Chief Human Resources Officer to try and give it some authority.
The people behind this phishing campaign invested some time in it. They created a real survey inside Mailchimp. For anyone looking for a dodgy link, this could persuade them that this is real. At the end of the survey, users are asked for their Employee Email and password to verify their identity.
Creating these attacks is simple
There appears to be little technical barrier to creating these attacks. Both services allow attackers to use their tools and create a page/survey to gather credentials. Executing the attack would be simple. Many sites sell mailing lists either based on product usage or scraped from the Internet. Creating a form/survey to appeal to those lists takes little effort or knowledge. The value is in the stolen credentials.
These attacks are more likely to succeed because they come from well-known domains. Both are used for email marketing and appear in users’ inboxes with enough regularity to attract no concern. Blocking at the email server would stop legitimate marketing campaigns from getting through, which is something few companies will do.
Enterprise Times: What does this mean?
It’s easy to blame poor user education for the success of these attacks. In reality, many are so much more than that. The authority of the two domains will convince many users that these are legitimate emails and surveys. Checking the email addresses that the emails come from should always provide a red herring but faking these up is a simple task.
The one piece of education here to reinforce to users is that they should never enter their credentials into a survey. Many will ask for an email address, often promising to send over a report or some other data later. Many organisations will see that as being acceptable. But no professional survey will ask for your password.