A phishing campaign is making the rounds that uses fake voicemail messages to lure victims into revealing their Office 365 email credentials.
The targets are “high-profile companies,” according to researchers, mainly in the tourism, entertainment and real-estate industries. A wide range of employees are being targeted, from middle management to executive level staff – but researchers said that they believe this is mainly a “whaling” campaign going after top brass.
“The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company,” said McAfee researchers Oliver Devane and Rafael Pena, in research released on Thursday. “The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.”
The attack starts with an email saying the recipient has missed a phone call, along with a request to login to their account to access their voicemail, according to analysts. The message will have an attached HTML file that redirects the user to a phishing website; it also will, most of the time, contain an audio recording meant to sound like a legitimate voicemail. The HTML files have vanilla names like “10-August-2019.wav.html” and “Audio_Telephone_Message15-August-2019.wav.html.”
On the phishing page, where the target’s email address is prepopulated, the user is asked to “log into their account.” Once the password is entered, the user is shown a “successful login” message and redirected to the legitimate office.com login page.
“What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link,” said Devane and Pena. “This gives the attacker the upper hand in the social engineering side of this campaign.”
A total of three different phishing kits are being used to carry out the scam, they found during their forensic investigation.
“All three look almost identical but we were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script,” explained the researchers.
The first kit is advertised on social media and is sold on an ICQ channel. The kit goes by the name of “Voicemail Scmpage 2019” and operates on a license key basis, where the license key is checked prior to the phishing site being loaded, according to the analysis. A file, data.txt, is created on the compromised website and it contains a list of visitors, including their IP address, web browsers and the date.
The second phishing kit is called “Office 365 Information Hollar,” and is very similar to the first. And finally, a third, unnamed kit makes use of code from a previous malicious kit targeting Adobe users back in 2017, Devane and Pena said.
“It is possible that the original author from 2017 has modified this kit, or perhaps more likely the old code has been re-used by a new group,” they noted, adding that the unnamed kit is the most prevalent out of the three.
All three harvest email addresses, passwords, IP addresses and the victim’s location.
The campaign is unusual in its targeting of executives. As Sherrod DeGrippo, senior director of the threat research and detection team at Proofpoint, told Threatpost, employees further down the ladder are usually more targeted in enterprise attacks for the simple reason that their contact information is easier to fine.
“We’re finding that the threat actors are going after the profiles, either on social media on things like published reports in the particular industry…and the threat actors are savvy at finding those connections, tracing them back, finding the people to attack and it’s typically not those in the C-Suite,” she said during a recent Threatpost podcast. “Only 7 percent of executive emails…are available online – executives are keeping them hidden. But people a little bit further down, they’re trying to build their profiles, build their brands, they’re much more accessible, and the threat actors are finding them.”
To avoid becoming a victim in this campaign (and others), email users should, as always, be cautious when opening attachments from unknown senders; and, they should avoid using the same password for different services. Two-factor authentication is always a good idea as well.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.