Phishing attacks thrive in chaos, and there is certainly no shortage of turmoil right now. I wanted to share with you some of the leading threats SilverSky’s Threat Intelligence Team has identified, as well as a threat reported in a recent news article.
Since phishing campaigns generally rely on emotions like confusion, urgency, and fear, it isn’t surprising that attackers continue to take advantage of the COVID-19 pandemic and the anxiety surrounding the upcoming US presidential election.
The following is a summary of what we are seeing out there right now. For more detailed information and malicious email observations over time, I invite you to access our Malicious Email Report Library.
Emotet Spear-Phishing Campaign Leverage Presidential Election Anxiety
Emotet, by far today’s largest malware botnet, had triggered multiple security alerts this month in countries such as France, Japan, New Zealand, and the US. The emails contain links and attachments with fake documents such as invoices, shipping information, CVs, financial documents, scanned documents, or information on COVID-19.
Additionally, SilverSky’s Threat Intelligence Team observed Emotet’s presence as attackers take advantage of the anxiety surrounding the US elections. We spotted a new spam campaign pretending to be from the Democratic National Convention’s (DNC) Team Blue initiative. Emotet’s primary goal is to convince recipients to open the attached malicious document. Once the attachments are opened, and macros enabled, the malware will be installed and executed on the user’s machine.
Directly after the first Presidential debate, the threat actors behind Emotet, mainly known as TA542, executed a new spam campaign pretending to be from the DNC asking for volunteers to help Democrats get elected. SilverSky’s Threat Intelligence Team also discovered a few Emotet very recently containing the keyword “County” and “Administration” in the subject line linking the messages to the county offices that handle voting processes like registration, voting, and counting ballots.
Voter Registration ‘Error’ Phishing Attack
Similar to election-related phishing campaigns seen by SilverSky, other stories related to voter registration have been reported. Further leveraging election anxiety, these phishing emails tell recipients that their voter registration applications are incomplete, ultimately aiming to steal social security numbers, date of birth, driver’s license data, and more.
The emails look as if they were sent by the US Election Assistance Commission, an independent government agency that serves as an election administration information resource. The email contains a URL leading to a spoofed web page aiming to capture the above-mentioned personal data. The emails’ subject line and body include wording like “voter registration”.
This campaign uses a classic but effective social engineering tactic. An urgent problem is shared with the recipient, and they must share personal information to correct the issue.1
Return of Amazon Phishing Scam
Of course, online shopping has increased a great deal during the pandemic. Therefore, it is not surprising that our Threat Intelligence Team has tracked an increase in phishing campaigns targeting Amazon customers. One of the malicious emails contains the subject line “You are receiving this email because you are an Amazon customer.” The sender’s address impersonates Amazon with the address of <account-update@amazon[.]co[.]jp> to look genuine. The link within the email redirects to a fake Amazon login page hosted on a [.]xyz TLD domain.
Always look for spelling or grammatical errors. It also essential to note that Amazon does not use email to request customers’ confidential information like a PIN, credit card number, security code, or bank account information.
FedEx-Themed Dridex Malspam
FedEx is the latest lure used by cybercriminals to spread Dridex in a worldwide campaign. Our Threat Intelligence Team has discovered new malspam attacks that exploit a fake invoice with a zipped archive file or excel file attached. Once the attachment is opened, the file will communicate with command and control (C2) servers and downloads a DLL immediately.
The user’s machine is then infected with the malware (Dridex), which specializes in stealing bank credentials. The emails have subject lines beginning “Fedex Tracking Number,” followed by a random reference number, pretends to be delivered from FedEx <no-reply[@]fedex[.]com> and claims that the parcel has just arrived. SilverSky’s Threat Intelligence team uncovered another email with an “Invoice Ready for Payment” subject line in this campaign.
To learn more about the cyberattacks observed every month, we encourage you to access our Malicious Email Attack Report Library. As always, if SilverSky can help you better protect your digital estate from phishing attacks and cybersecurity threats at large, don’t hesitate to contact us.
- “Voter Registration ‘Error’ Phish Hits During U.S. Election Frenzy,” Lindsey O’Donnell, Threat Post, October 2, 2020