We can see that the page has pulled the email address from the initial URL then placed it at the top of the page and in the email address field for the login. Once the button is clicked, the user is redirected to a page that appears to be a Webmail l ogin page.
Upon examination of the URL, we see that the recipient ’ s email address has been coded so that the phishing page can prefill some data when it loads. In taking this approach, the threat actor has exploited methods used in multiple phishing campaigns designed to gain users ’ trust ( by spoofing an internal source ), and then reducing critical analysis. Here, the threat actor has added the recipient ’ s email address to the body to provide a personal touch. It allows users to analy z e the blocking policy, then decide if the policy was correct before opting to release the email to their inbox. This follows a common style of emails sent by SEGs ( s ecure e mail g ateways) when they have blocked an email from reaching the user ’ s mailbox. Then there’s a button for the user to click to “Release All” the blocked emails to their inbox. The bold and large title attracts attention, and is followed by further information to clarify the purpose of the email. T he user is presented with a notice advising that they have m essages to review.
Th is, combined with the subject line and the heading of the email body, creates a sense of urgency and importance for the email to better attract the user’s interest. H owever, the address is an external one ( ). To add authenticity to the email, the threat actor s have spoofed the email address so that it appear s to be from an i nternal address ( ). The Cofense Phishing Defen s e Cent e r (PDC) has observed a new phishing campaign that posts the harvested credentials utili z ing the Telegram API. In addition to the standard messaging application, Telegram also offers API options that allow users to create programs that use Telegram messages for an interfac e. This, however, can also be appealing to threat actor s for illegitimate purposes. Its encrypted messages, and potential message self-destruct options, can be attractive to legitimate users looking for more privacy and protection tha n standard/legacy messaging options.
By Jake Longden, Cofense Phishing Defense Cent e r
0 kommentar(er)
