PhishWire - Sept 3 2024

Phish Wire: September 3 2024

PhishID has continued to see a massive surge in malicious clicks across students and staff in August, with over 600 malicious clicks in one large district alone. Here are a few examples and highlights.

9qsus[.]m9k65x[.]com
securep-amzn-prime[.]13-212-185-130[.]cprapid[.]com
aviso-pontos[.]net 
heritagetbonline[.]com 
student[.]masteryconncect[.]com/

What Happened

On August 19th, a district principal clicked on the below targeted spearphish 9qsus[.]m9k65x[.]com. 

Matching similar patterns to those seen in prior PhishWire reports, it utilized a phishing server embedded with sandbox evasion, returning a 404 error when inspected from an alternate browser. Fortunately, PhishID was able to protect the school administrator and capture key data about the attack. This attack involved content and animations resembling the target district’s homepage, including inspirational quotes from famous actors, athletes, and historical figures. 

On August 26th, a staff member was targeted via their personal email on their work device with the below phishing attack securep-amzn-prime[.]13-212-185-130[.]cprapid[.]com.

PhishID protects users against these types of credential exploits by identifying and intercepting fraudulent credential requests in the browser, even when clicked from personal mailboxes. 

How it happens

Hackers are acquiring tools to better target districts and their staff. This includes Phishing as a Service products allowing hackers to quickly spin up custom phishing sites. Further, Hackers are gathering personal email addresses of their target recipients in order to evade protections put in place around district mailboxes.

Actions

• Add the specified domains to your block lists 

• Focus awareness efforts on high-risk credentials (staff and students) 

• Deploy PhishID to protect credentials from targeted spear phishing campaigns 

• Educate users to be cautious of attacks targeting both their personal and school-issued credentials in their email.