- 14 Oct 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire - Oct 14 2024
- Updated on 14 Oct 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire: October 14 2024
Early October saw widespread phishing campaigns targeting large numbers of district staff members. Below are a few examples to highlight.
accuratehire[.]co[.]in
aindialkila[.]com
couriertrip[.]com
outhitcaninus[.]shop
mooterduarch[.]top
curiocity[.]ca
zemb[.]zmqyzjlozozbz[.]top
icon[.]eu[.]com
tiewalesemi[.]de
Widespread Stealth Email Phishing
On Thursday, October 10th, a malicious spearphish was delivered to a large number of staff members at a PhishID district. The email was a ‘Timesheet Report’ sent from info@transflucol[.]com[.]co. The email content referenced real individual roles and user emails in the targeted district
Embedded in the ‘View Timesheet’ button was a link hosted on a public university web domain for the state of Maine: maine.edu. Upon clicking, the link first redirects to a Google redirect notice, then to a (likely impersonated) Cloudflare account verification, and finally to its intended destination: a credential harvesting phishing attack.
Phishing attacks like this can be extremely difficult for email security tools to identify. First, the original link delivered in the email was hosted on a legitimate third-party domain. Further, it redirects multiple times, first to a Google domain (itself, another legitimate domain), then to a verification step, requiring an additional user click, and then to its intended payload. The PhishID browser extension detected the incident by tracking and blocking all the redirects. The district reported 91 unique user clicks on the malicious email link.
Multi-Channel Phishing
The above example illustrates stealthy tactics hackers use to deliver phishing attacks into well-protected email environments. However, in the examples below, PhishID detected attacks that were altogether delivered and clicked outside district email, including an Adobe file and two via personal email. These all were detected over 7 days starting October 3rd.
Actions
Remember to add these domains to your block lists, spam filters, and web content filters
Focus awareness efforts on high-risk credentials (staff and students)
Deploy PhishID to protect credentials from targeted spear phishing campaigns
Prioritize phishing awareness efforts for high-priority staff
Educate users that multi-factor authentication is not a phishing panacea
Encourage users to double-check the domain even if the page is requesting a multi-factor one-time-password