Nearly 5 months undetected – simple phishing scam

Flashpoint has uncovered a phishing scam that had remained undetected due to its simplicity. This business email compromise (BEC) scam was based on sending malicious PDFs that featured “embedded links that redirected potential victims to credential-harvesting phishing sites.” A total of 73 files were discovered that between them directed users to 29 different domains.

These 73 PDFs were used in campaigns between March 28, 2017 and August 8, 2017, and targeted a range of organizations including, but not limited to, universities, retailers, software and technology, real estate, and churches.

According to the Flashpoint blog post:

Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials.

By submitting their credentials, a victim would inadvertently give the attackers access to their account. The attackers would then send spear-phishing emails to the victim’s contacts. These emails were more likely to be opened as a result of coming from a ‘trusted’ email account.

Flashpoint analysts assessed the attacks and stated that they “are likely being carried out by attackers located in Western Africa due to the originating IP addresses of the phishing emails.”

They continued:

BEC actors and cybercriminals located in West Africa typically do not make significant efforts to enhance their OPSEC practices or conceal their locations; however, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organizations each year.

Phishing attacks are on the increase, and this example reiterates the importance of remaining vigilant. The simple nature of this attack meant it went undetected for almost five months.

How to protect yourself from phishing attacks

No matter how effective your spam filter is, a spoof email could bypass it, making your organization’s staff the last line of defense against fraud. It is therefore vital that your staff are aware of the risks of phishing emails. E-learning courses are an efficient, cost-effective method of training all your staff with minimal disruption.

Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.
Find out more about our Phishing Staff Awareness Course >>