- 23 Dec 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire - December 23 2024
- Updated on 23 Dec 2024
- 1 Minute to read
- Print
- DarkLight
December has continued to see targeted spearphish involving compromised mailboxes in Texas and Kentucky, as well as a massive surge in USPS phishing around the holidays. Here are some examples and highlights.
dchbxcsq[.]courtcloudservices[.]com/Tv0Kj/
d1strictresources[.]store/d98he/f93y
resedaclinicaestetica[.]com[.]br/oned/index[.]html
summary-netfilx[.]renew-mysubscription[.]billing-center[.]netfilx[.]com[.]tamiresribas[.]com[.]br
usps[.]com-trackxgb[.]top/us
usps[.]com-parcelplxh[.]vip/i/
usps[.]com-trackcexk[.]top/
usps[.]com-postaasxz[.]top/us
Family Business Email Compromise
On Dec 10th, a staff member at a Texas organization clicked a spearphish link targeting their Microsoft credentials in a PDF file.
In this instance, the phishing email was sent by the personal Gmail account of the staff member’s spouse, who had been compromised. The phishing email contained a link to a password protected PDF stored in Google Drive, which, upon being unlocked, contained a link to a Microsoft credential harvester. This is hard to detect because it involves both a trusted sender address and a password protected file that contains the phishing link.
Another spearphish was clicked by three staff members at a Kentucky organization on Dec 9th.
This was delivered through a OneDrive file share outside the scope of normal email protection. Even seven days after it was detected by PhishID, it remained undiscovered by the entire VirusTotal community.
Credit Card UPS Phishing
Leading up to the holidays, PhishID picked up a surge of UPS phishing attacks clicked by staff members across districts in Washington, Kentucky, and Idaho.
To highlight one instance, a UPS phishing link leads to a page that says that a package has been returned because the delivery address is not clear. In order to have the package delivered by Dec 23rd, the page says, the user must update their address.
Upon clicking ‘Continue’, the user is directed to an address form, and is then further directed to an online payment form in order to pay for a minor supposed delivery fee. Numerous links on the phishing page actually linked to the legitimate UPS website. Scams like this leverage anxiety that packages arrive before Christmas. They are further difficult to detect by concealing credit card solicitation until the user has clicked through multiple forms.
Actions
Add the specified domains to your block lists for all of your systems.
Focus awareness efforts on high-risk credentials (staff and students).
Educate users to exercise caution when opening links even when they are delivered from family members and involve password protected files.
Educate users that phishing in their personal email can pose serious risks.
Deploy PhishID to protect credentials from targeted spearphishing campaigns.