Phish Wire - April 15 2025

At the beginning of April, there has been a sustained effort to target corporate credentials through stealthy methods, file-sharing platforms, and personal account phishing on work devices. Notably, there has been a significant increase in phishing campaigns related to financial services and Netflix, often incorporating a tech support angle. Here are some examples and highlights.

• kyschools[.]mgdinvests[.]com

• privatemessagiesnow[.]de/secure/

• zentratech[.]online/services[.]php/

• login[.]5324232[.]com

• hrsupportint[.]com

• alonglifewithparkinsons[.]com/service/3123eacc/54e5

• cartweb[.]live/services[.]html

• heb6[.]ewetanign[.]ru

• kalsirwas[.]composition[.]it[.]com

• srhfree0w345-hgr[.]es/on/sd/

• webbinder[.]online/services[.]php

Widespread Kentucky Phishing Campaigns

In the first week of April, five users from three different organizations in Kentucky clicked on the following Microsoft phishing link.

The page not only impersonates Microsoft but also Okta and GoDaddy. It employs stealth redirect tools that lead users to legitimate sites, depending on the client. For instance, if the browser accessing the page is in debug mode, the HTML redirects to homedpot.com. The URL appears to have been generated by an algorithm, suggesting it is part of a broader set of phishing attacks. It was hosted on a Russian top-level domain and utilized path variables to target specific users.

Another campaign targeted Kentucky school districts by using subdomains that matched real domains utilized by the public school system. For example, an attack was clicked on April 1st by a staff member.

‘kyschools’ is a reference to the Kentucky public school system, which would normally use ‘.kyschools.us’ domains.

The same period experienced ongoing credential phishing that bypassed email protection, delivered through file shares distributed across Texas, Illinois, and Georgia. Here are a few examples.

Customer Service Paypal Phishing

This period experienced ongoing PayPal phishing campaigns targeting users in Georgia, Texas, and Nevada. The example below was clicked by an employee at a Texas organization.

Similar to others, this also included a tech support component along with tracking parameters that indicated possible misuse of advertising networks to generate traffic. Additionally, it involved the use of cloaking or redirecting services to evade detection by security scanners. Here are a couple of other comparable examples.

Netflix Phishing

The period had a continued streak of stealth Netflix phishing, like the example below that a staff member at a Georgia organization clicked on.

The domain hosting the attack is a legitimate site about the Parkinson’s disease community, which was likely compromised and hijacked. Additionally, a couple of others have been reported targeting users in Florida and Kentucky.

Some of these pages mimicked a Cloudflare challenge, possibly to deceive web crawlers into believing a security provider safeguards the page.

Mitigations 

• Block the specified domains on corporate firewalls and endpoint security solutions.

• Educate users about the risks of phishing in file-sharing applications such as SharePoint and OneDrive, in addition to email.

• Remind users of the phishing risks associated with their personal accounts, even when accessing them on corporate devices.

• Instruct users to find the official support number for their financial service institution through a Google search rather than calling the number provided on an unverified webpage.

• Enforce multi-factor authentication (MFA) for all corporate logins to mitigate the risk of credential compromise.