MENU
    Phish Wire - December 9 2024
    • 09 Dec 2024
    • 1 Minute to read

    Phish Wire - December 9 2024


    Article summary


    The last two weeks have experienced an increase in spearphishing targeting corporate users on their personal accounts, along with a rise in Netflix phishing activity. Here are some examples and highlights.

    • hebelex[.]com/

    • ry74tykjrnm[.]asialink88[.]info

    • taxliencode[.]constructappsolution[.]com

    • 2ndlinksffice[.]appforconstruction[.]com/

    • onlinery[.]norterc[.]com/

    • signin[.]neflix[.]payment-reminders.144-126-136-207[.]cprapid[.]com

    • payments[.]oauth-netflix[.]updateverification[.]50-6-173-246[.]cprapid.com

    • signin-netflixpaymentsupdates[.]50-6-172-50[.]cprapid.com


    Personal Email Delivery

    On November 25th, a staff member at a school district clicked on a spearphish targeting their Microsoft credentials. While the hacker was targeting their professional email password, the end user confirmed that they clicked the phishing link in their personal email.

    Hackers know that corporate email is better defended than personal email. Targeting users via their personal email often, therefore, presents a path of less resistance.

    Lateral Phishing

    On Thanksgiving day, a staff member at an organization opened the below spearphish. It was sent from a valid email address from a known business associate at a local Home Builders Association.   

    The previous day, an executive at the Home Builders Association had their own corporate email compromised. Leveraging the trusted communications with their contact, the hacker sent an email to the targeted user via the compromised account.

     

    The email contained a View Document call to action, referencing a proposal that was likely anticipated by the recipient. The full email included the sender’s signature and a headshot photo.

    Netflix Surge

    During the same period, we saw a large surge in Netflix phishing attacks being clicked in districts across Georgia, Texas, and Washington.


    Numerous subdomains were detected like the above that use disposable hosting services so that they only stay active for a short period. The phishing attack further redirects security sandboxes to a legitimate Netflix help page. Most of the URLs reference billing or payment.


    Actions 

    • Add the specified domains to your block lists.

    • Focus awareness efforts on high-risk credentials (staff and students).

    • Educate users that phishing in their personal email can pose serious risks.

    • Educate users to exercise caution when opening links even when they are delivered from trusted associate email addresses.

    • Deploy PhishID to protect credentials from targeted spearphishing campaigns.


    Was this article helpful?

    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence