- 28 Oct 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire - Oct 28 2024
- Updated on 28 Oct 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire: October 28 2024
October continues to see aggressive phishing campaigns targeting district staff, particularly using delivery methods outside district mailboxes. We will provide a few examples and highlight some key points.
mkvg[.]diflucan50[.]com
a0ueftsev[.]online
ovalthebar[.]info
4af3dac0-d9b7-4472-b338-2c87d939d856-00-v7je93cxpf67[.]spock[.]replit[.]dev/
evolutionindia[.]co[.]in/dist/
celebritybollywoodactions[.]com/dist/
gerenciar[.]com[.]co/dist
Widespread Document Share Phishing Campaign
Multiple school districts were hit with phishing attacks that were delivered through shared documents.
In a Colorado district, on October 17th, this was clicked by seven staff members over an 8 hour period, as well as multiple administrators in other Texas districts. In fact, a PhishID analyst was able to inspect a similar one that hit an Idaho district on October 15th.
In addition to Outlook, the phishing attack allows the user to select Office365, AOL, Yahoo, and other email options.
We saw a separate Outlook phishing attack get clicked by a staff member in another district.
The district administrator confirmed that this email did not arrive through the district email system. It was likely clicked in personal email or another non-email application.
Continued Stealth Email Phishing
The stealth email campaign described in our last Phish Wire has continued to target Texas districts the week of October 14th, with at least 6 users clicking on a link that redirected from the same minerva.maine.edu website. This campaign stands out due to its use of (1) compromised third-party domains, (2) Cloudflare user verification, and (3) multiple redirects. Taken together, these tactics make the phishing campaign remarkably difficult to catch via email security.
The following example illustrates a compromised third-party website: an Indian manufacturing site. The domain itself goes to the legitimate company website, while adding ‘/dist’ to the URL leads to a dangerous phishing site, starting with a Cloudflare verification.
Actions
Remember to add these domains to your block lists, spam filters, and web content filters
Focus awareness efforts on high-risk credentials (staff and students)
Deploy PhishID to protect credentials from targeted spear phishing campaigns
Prioritize phishing awareness efforts for high-priority staff
Educate users that multi-factor authentication is not a phishing panacea
Encourage users to double-check the domain even if the page is requesting a multi-factor one-time-password