Security researchers detected a new phishing scam targeting various organizations across healthcare, education, and healthcare sectors. Approximately 27,660 mailboxes have been reached by the suspicious email messages. ArmorBlox researchers provided more details about the phishing attack.
New Phishing Campaign Uses WhatsApp Voice Notifications as a lure
The techniques the phishing operators used included vishing, drive-by downloads, and brand impersonation, among other social engineering tricks. The lure in the campaign is a cleverly written, socially engineered email titled “New Incoming Voicemessage,” which included a header in the email body reiterating the email title.
As for the email body, it spoofed a secure message from WhatsApp and suggested that the victim had received a new private voicemail, ArmorBlox said. Upon opening the message, the user would be invited to click on the “play” button to view the secure message.
Not surprisingly, the domain of the email sender turned out to originate from Russia: mailman.cbddmo.ru. The researchers suggested that “the email domain is associated with the ‘center for road safety of the moscow region’ page. According to the website this organization was established to provide assistance to the State Road Safety operations for Moscow and it belongs to the Ministry of Internal Affairs of the Russian Federation,” the report said.
It’s likely that the phishing operators exploited a deprecated or an old version of the organization’s parent domain to send out the malicious emails. It is noteworthy that the email passed all authentication checks, such as SPF and DMARC.
What is the end goal of the operation? The final goal is getting the user to install a specific trojan, JS/KryptikFig, via a specially crafted landing page. Once on the page, users were prompted to perform a “not a robot” check. Upon clicking “allow” on the pop-up notification in the URL, the malicious payload was initiated. The type of malware installed is an infostealer, capable of obtaining various sensitive details from the victim’s computer.
New Technique Makes Phishing Indistinguishable
Phishing attempts are evolving and becoming more threatening to both individual users and entire organizations. Browser-in-the-browser (BitB) is a new type of attack that can be leveraged to simulate a browser window within the browser to spoof a legitimate domain. The technique can be used to perform credible phishing attacks.
Discovered by a penetration tester known as mr. d0x, the technique leverages third-party single sign options typically embedded on websites, such as Sign in with Facebook or Google.