DYNAMIC EMAIL PHISHING CAMPAIGN – JANUARY 2019
A large-scale phishing campaign has been discovered with the unique ability to dynamically generate content. Unlike a generic phishing attempt, this new approach is capable of dynamically changing its content based on the targeted organisation. Similar to a spear-phishing attack, this increases the attack’s legitimacy as the phishing site appears more convincing to the victim.
The core structure of the phishing attack is comprised of two key components. Firstly, the malicious email that contains the link and secondly, the phishing site used to harvest user credentials.
Researchers have identified that the spam emails are being distributed through the initial victim, patient zero, whose account has been compromised. Using the compromised account, the malicious email is sent to many internal contacts within the organisation, before proceeding to mass send outbound emails to further compromise external users. By sending the emails from a compromised account, particularly one within the organisation, this can trick the recipient into thinking the email is safe as it has come from another internal user.
The email itself is fairly simple and could potentially be recognized as a scam by a wary user. It is largely blank but contains a button with the text “Display this message” or “Display trusted message”. Clicking the button will not display any message but instead direct the victim to a phishing site.
An example of what is displayed in the email can be seen below:
Upon visiting the phishing site, the content is dynamically generated based on the email suffix of the victim. The site downloads the target company logo and favicon to produce a rather convincing login page, which steals information about the victim and their device.
Further research shows that the phishing sites are associated with multiple domains that change regularly and are hosted on short lived Azure servers, which are not known to be bad by many threat intelligence providers.
An example of what the phishing page would look like for a user with the email suffix “@marks-and-spencer.com” can be seen below:
How can I prevent this?
Recommended preventative actions for this attack method are as follows:
31 Chertsey Street
11th Floor Centre City Tower
5-7 Hill Street