Phish Wire - December 9 2024

The last two weeks have experienced an increase in spearphishing targeting corporate users on their personal accounts, along with a rise in Netflix phishing activity. Here are some examples and highlights.

• hebelex[.]com/

• ry74tykjrnm[.]asialink88[.]info

• taxliencode[.]constructappsolution[.]com

• 2ndlinksffice[.]appforconstruction[.]com/

• onlinery[.]norterc[.]com/

• signin[.]neflix[.]payment-reminders.144-126-136-207[.]cprapid[.]com

• payments[.]oauth-netflix[.]updateverification[.]50-6-173-246[.]cprapid.com

• signin-netflixpaymentsupdates[.]50-6-172-50[.]cprapid.com

Personal Email Delivery

On November 25th, a staff member at a school district clicked on a spearphish targeting their Microsoft credentials. While the hacker was targeting their professional email password, the end user confirmed that they clicked the phishing link in their personal email.

Hackers know that corporate email is better defended than personal email. Targeting users via their personal email often, therefore, presents a path of less resistance.

Lateral Phishing

On Thanksgiving day, a staff member at an organization opened the below spearphish. It was sent from a valid email address from a known business associate at a local Home Builders Association.   

The previous day, an executive at the Home Builders Association had their own corporate email compromised. Leveraging the trusted communications with their contact, the hacker sent an email to the targeted user via the compromised account.

The email contained a View Document call to action, referencing a proposal that was likely anticipated by the recipient. The full email included the sender’s signature and a headshot photo.

Netflix Surge

During the same period, we saw a large surge in Netflix phishing attacks being clicked in districts across Georgia, Texas, and Washington.

Numerous subdomains were detected like the above that use disposable hosting services so that they only stay active for a short period. The phishing attack further redirects security sandboxes to a legitimate Netflix help page. Most of the URLs reference billing or payment.

Actions 

• Add the specified domains to your block lists.

• Focus awareness efforts on high-risk credentials (staff and students).

• Educate users that phishing in their personal email can pose serious risks.

• Educate users to exercise caution when opening links even when they are delivered from trusted associate email addresses.

• Deploy PhishID to protect credentials from targeted spearphishing campaigns.