Phishing Campaign Targets Executives with Fake Emails from Their Phone Provider
A new spear-phishing campaign has been spotted, aimed at company executives and other individuals. The goal of the campaign is to steal login credentials and banking details. The threat actors have taken up the guise of the smartphone provider of their targeted victims.
The campaign was spotted by the researchers of cybersecurity company Cofense, with emails being the primary source of the scam. The emails claimed to come from the victim's smartphone provider, referring to an issue with their bill. The company said the spoof was sent to a few executives, including one that worked at an unnamed, leading financial firm.
The messages came with a subject titled 'View Bill – Error – Message' and were designed with a brand that looks like they came from EE, a UK-based telecom and internet service provider. The message claims the company is working on fixing an unspecified issue, asking the users to log in to their accounts to update their details.
Keeping an Eye out for Suspicious Emails and Messages
Users are advised to be careful when they receive unexpected messages of this kind, especially ones that ask for immediate action. There are elements in a phishing email that acts like a sign that something is odd and suspicious about it. The sender address includes EE as a name, but the email address has no connection to the company. The domain of the message was registered in the Netherlands.
The malicious URL received by the victims is also very long and has odd words in like 'fly-guyz.' In cases where the victim fails to notice the unusual nature of the email, they are taken to a spoofed login page that looks almost identical to the real thing, even down to a trusted HTTPS protocol and an SSL certificate. The web address doesn't match, however.
The user is asked to enter their email and password into the login page of the spoofed website. After the details are entered, the victim gets taken to another page, asking them for banking details, full name, card number, CVV number, expiration date, date of birth, and the sort code, which is enough to get away with stealing the account. Once the details are entered, the victim gets redirected to the actual operator's page, the attackers trying to avoid suspicion in the process.
Cofense Warned the Phishing Page Was Still Active
More possible phishing attempts might follow on users around the world. The spoofed domains aren't a new method of attack, but it is one that works well. Users should be aware of unexpected emails that allegedly come from companies. That is especially relevant for those asking for immediate action, including clicking on links or downloading attachments. Calling the company the email claims to come from could be an excellent way to check its authenticity.