PhishWire - Sept 30 2024

Phish Wire: September 30, 2024

September has seen an uptick in phishing activity, with sophisticated attacks targeting key personnel in rapid succession. Here are some examples and highlights.

ampo[.]documentslabs[.]com

mpcmechs[.]com

mcgiftcardbalance[.]biz

a08c[.]gadehomes[.]org

tiewalesemi[.]de

leovividstyles[.]online

contena[.]com[.]br

croaciaaudio[.]com

Over a few hours during the school day at one district, a pair of spear phishing links were clicked and detected by PhishID targeting (1) a Procurement Manager, (2) a Board of Trustees member, and (3) a Chief HR Officer.   

ampo[.]documentslabs[.]com

This website evaded detection by the entire VirusTotal community for almost a week before being flagged by BitDefender. To cover their tracks, the hacker removed the phishing payload from the server shortly after the time window during which users were targeted. Based on the URL content, it’s possible that the link was delivered via an attachment document rather than an email, allowing it to glide past any existing email protection. The phishing attack hosted on mpcmechs[.]com further had evidence of an MFA phishing toolkit. 

Had PhishID not blocked it at the point of click, the page would have stolen the user’s passwords and forwarded the stolen password to the real Microsoft website to phish the two-factor code.

In another district, PhishID blocked multiple phishing attacks targeting staff in both their district and personal emails.

mcgiftcardbalance[.]biz

This MasterCard phishing attack targeted the personal email account of a vice principal. By targeting personal accounts, phishing attacks like this can avoid any tripwires in enterprise email protection. 

a08c[.]gadehomes[.]org

PhishID also detected a Microsoft spearphish that concealed its tracks by only delivering the phishing payload to the user’s browser upon click. Subsequent visits to the link redirect to a safe site: example.com.

Actions 

• Remember to add these domains to your block lists, spam filters, and web content filters

• Focus awareness efforts on high-risk credentials (staff and students)

• Deploy PhishID to protect credentials from targeted spear phishing campaigns

• Prioritize phishing awareness efforts for high-priority staff

• Educate users that multi-factor authentication is not a phishing panacea

• Encourage users to double-check the domain even if the page is requesting a multi-factor one-time-password