Proofpoint cybersecurity experts: Hundreds of messages with links sent to recipients across multiple organizations. Cybercrime or Cyber Espionage?
The NCSC: UK is suffering an automated, ongoing, widespread cybercrime credential harvesting phishing campaign. The campaign has been active since at least July 2018 through various iterations, with a recent spike in reports to the NCSC in early October 2019
UK is suffering an automated, ongoing, widespread cybercrime credential harvesting phishing campaign. It has been denounced by National Cyber Security Centre (NCSC) experts, who are investigating the phenomenon. The campaign has been active since at least July 2018 through various iterations, with a recent spike in reports to the NCSC in early October 2019. It appears to be spreading indiscriminately across a very broad range of UK sectors. Users receive a phishing email from a legitimate and known account compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility to trust the email. More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.
How the phishing campaign works according to the cyber security experts
According to the cyber security experts, the recent iteration of these phishing emails consists of a black ellipsis with a grey highlighted background and a single sentence underneath containing a hyperlink. There are some slight variations in the sentence wording but four structures currently prevale. Previous versions of the cybercrime campaign included a coloured button containing text variations of ‘view the message’, prompting the previous name for this campaign ‘RGB’ or ‘Red/Green/Blue Button Phishing Campaign’. If the user clicks on the hyperlink, a spoofed login webpage appears, which includes the victim organisation’s logo and email address, as well as a password entry form. This page is based on the recipient’s domain. Victim accounts have been compromised without a user actually entering any credentials. It is possible that the actor has used password spraying to gain access.
Cybercrime monitor the victim mailbox and observe sent items. Then, disseminate the malicious email further (via SMTP), using the victim’s address book
If the cybercrime crook manages to compromise the system, he access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.