PhishWire - Nov 11 2024

Phish Wire: November 11 2024

During Halloween and early November, staff targeting continued in districts across Texas and Washington. These included phishing campaigns targeting staff on their personal accounts while using district work devices. Here are just a few examples and highlights:

• relishme[.]com/n

• sabbaashopview[.]com

• jj3y[.]evluator[.]com

• zhh8pha4ghv[.]westcovine[.]org

• amerihdladlrka[.]com

• en[.]3-112-32-155[.]cprapid.com

• aceinst[.]edu[.]pk

• e-documentsign[.]com

• att-104671[.]weeblysite[.]com

Personal Targeting

On October 28th, a middle school teacher clicked on the below phishing link targeting their personal AOL account.

Hackers like to target district staff on personal accounts like AOL and Gmail, because those accounts tend to be less well defended than institutional email accounts. After gaining access to a staff member’s personal email, hackers can then move laterally to further compromise colleagues in their network. This phishing attack was well concealed and has since remained unknown on VirusTotal.

Detection Resistant Spearfish Campaigns

We further saw detection resistant spearphish targeting administrators. The link below was clicked by three administrators and used stealth redirects to remain undetected. 

Notable developments included phishing campaigns targeting employees' Google Documents and American Express credentials, which were outside the realm of traditional email attacks.

Actions

• Remember to add these domains to your block lists, spam filters, and web content filters

• Focus awareness efforts on high-risk credentials (staff and students)

• Deploy PhishID to protect credentials from targeted spear phishing campaigns

• Prioritize phishing awareness efforts for high-priority staff

• Educate users that multi-factor authentication is not a phishing panacea

• Encourage users to double-check the domain even if the page is requesting a multi-factor one-time-password