Phish Wire - Oct 28 2024
  • 28 Oct 2024
  • 1 Minute to read
  • Dark
    Light

Phish Wire - Oct 28 2024

  • Dark
    Light

Article summary

Phish Wire: October 28 2024

October continues to see aggressive phishing campaigns targeting district staff, particularly using delivery methods outside district mailboxes. We will provide a few examples and highlight some key points.


  • mkvg[.]diflucan50[.]com

  • a0ueftsev[.]online

  • ovalthebar[.]info

  • 4af3dac0-d9b7-4472-b338-2c87d939d856-00-v7je93cxpf67[.]spock[.]replit[.]dev/

  • evolutionindia[.]co[.]in/dist/

  • celebritybollywoodactions[.]com/dist/

  • gerenciar[.]com[.]co/dist


Widespread Document Share Phishing Campaign


Multiple school districts were hit with phishing attacks that were delivered through shared documents. 

In a Colorado district, on October 17th, this was clicked by seven staff members over an 8 hour period, as well as multiple administrators in other Texas districts. In fact, a PhishID analyst was able to inspect a similar one that hit an Idaho district on October 15th. 


In addition to Outlook, the phishing attack allows the user to select Office365, AOL, Yahoo, and other email options.

We saw a separate Outlook phishing attack get clicked by a staff member in another district.


The district administrator confirmed that this email did not arrive through the district email system. It was likely clicked in personal email or another non-email application.


Continued Stealth Email Phishing

The stealth email campaign described in our last Phish Wire has continued to target Texas districts the week of October 14th, with at least 6 users clicking on a link that redirected from the same minerva.maine.edu website. This campaign stands out due to its use of (1) compromised third-party domains, (2) Cloudflare user verification, and (3) multiple redirects. Taken together, these tactics make the phishing campaign remarkably difficult to catch via email security.

The following example illustrates a compromised third-party website: an Indian manufacturing site. The domain itself goes to the legitimate company website, while adding ‘/dist’ to the URL leads to a dangerous phishing site, starting with a Cloudflare verification. 

Actions

  • Remember to add these domains to your block lists, spam filters, and web content filters

  • Focus awareness efforts on high-risk credentials (staff and students)

  • Deploy PhishID to protect credentials from targeted spear phishing campaigns

  • Prioritize phishing awareness efforts for high-priority staff

  • Educate users that multi-factor authentication is not a phishing panacea

  • Encourage users to double-check the domain even if the page is requesting a multi-factor one-time-password



Was this article helpful?

ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence