PhishWire - July 22 2024

Phish Wire

What Happened

Following AT&T's announcement of a significant data breach, we observed a notable increase in spearphishing attempts aimed at district staff members last week. Below is an example of such an attempt:

wijf[.]gstoran[.]com

reapply[.]pages[.]dev

2ex8wa13c59[.]pics

261755[.]com

glspromo[.]com

On Thursday, July 18th, three district staff members—a principal, vice principal, and executive director—fell victim to a Microsoft spearphishing attack by clicking on a malicious link. The link was first clicked on Monday, July 15th, by an additional administrator.

wijf[.]gstoran[.]com

How It Works

Like many attacks, the phishing server was embedded with a sandbox evasion, making the site difficult to observe with traditional detection techniques. PhishID’s point-of-click AI scanner was able to protect the staff members and capture key data about the attack.

This attack included content and animations pulled from the target district homepage, including inspirational quotes from historical figures like Rockefeller, Churchill, and FDR: “The secret of success is to do the common thing uncommonly well”; “Success is not final, failure is not fatal: It is the courage to continue that counts”; “Persistence is the key to achieving great things.”

On July 17th and 18th, an attendance administrator also clicked on the link provided below.

reapply[.]pages[.]dev  

It includes Multi-Factor Authentication man-in-the-middle tactics, prompting the user to “enter the code displayed in the Microsoft Authenticator app on your mobile device.”

It also appears to have targeted the user using both their professional and personal email accounts.

Action to Take

Remember to add these domains to your block lists, focus awareness efforts on high-risk staff and students, and deploy PhishID to protect students and staff from these types of targeted spearphishing attacks. 

RapidIdentity’s PhishID browser extension deploys sophisticated AI-powered computer vision to detect and block attempts to harvest credentials. The solution often stops zero day threats that are undetected by other solutions relying only on known threats. We often see our customers protected by phishing attacks 14 days before it is reported by other solutions. Modern phishing attacks operate at machine speed, requiring a solution that can respond just as swiftly. Adversaries are deploying sophisticated attacks that include MFA bypass and QR code phishing - all of which can be intercepted by PhishID.

As we sit weeks out from the back-to-school season for most districts, we are seeing a sharp rise in phishing attacks. There are groups of threat actors that specifically focus on targeting K-12 institutions and have a deep understanding of their operational patterns. Schools are frequently targeted during back-to-school periods. Cybercriminals are aware that district staff face increased stress during these times, and they exploit this vulnerability to improve their chances of success.

Be safe.