In this attack, attackers impersonate an automated notification from a well-known bank in order to steal recipients’ online banking login credentials.
Quick Summary of Attack Target
Platform: Office 365
Mailboxes: 5,000 – 50,000
Bypassed Email Security: Office 365
Payload: Malicious Link
What was the attack?
Setup: Cybercriminals are increasing their efforts in an especially vulnerable time to access liquid funds from victims’ accounts. This attack features an impersonation a well-known bank with realistic login pages and disguised URLs to launch a phishing attack on an unsuspecting user.
Email attack: The initial email impersonates an automated notification from the banking institution BB&T. Within the body is a brief message stating that the user has been locked out of their account from too many login attempts. The message provides a text-embedded link that redirects the user to a phishing landing page.
Payload: The redirect URL is hosted on “mongolian-appraisal[.]000webhostapp[.]com” but the domain from the embedded link before the first redirect “ht[.]ly/rSgN30rqCSq” is registered to the Libyan Spider Network (int). Further, the IP originates from a commercially available VPN service, which is a strong indication that this is not a legitimate landing page for BB&T.
Result: If the recipients enter their username and password, they provide attackers with their personal banking information which can be used for fraudulent purposes.
Why was this attack effective?
Convincing email and landing page: Banks often send email notifications regarding online banking activity. The email looks like a simple request to update contact information. The attackers take an extra step, asking the recepient to complete an additional security verfication step, simulating the experience of logging into their account.
Urgency: Although the email is automated, the urgency comes from the indication within the email that the recipient has been locked out of their account from too many unsuccessful login attempts. This is the honeypot provoking fear in the recipient that someone else is attempting to login to their account, which prompts them to take action and follow the link to the landing page.