Cofense Report Analysis on Phishing Campaign Utilizing Vzwpix

 

Researchers at the Cofense Phishing Defense Center (PDC) have been able to dig further into the addressing characteristics of one of the phishing attempt that used Verizon's multimedia messaging service - Vzwpix – employing Cofense Vision. 

Verizon's Vzwpix is a genuine multimedia messaging service. It allows users to send emails from mobile phones, which often include the sender's contact number. Fraudsters exploit the popularity of this service by faking an original email address via spoofing. 

Cyber attackers could use these services to mass deliver SMS that comes from a mobile number but does not include the sender's name and identity. If somehow the recipient does not recognize the mobile number, then they might be left speculating who had sent these emails. 

Hundreds of complaints about Verizon's Vzwpix service domain have been obtained by the Cofense PDC over the last week. 

A majority of these messages would be texts or pictures, but investigators are continuously on the lookout for potential risks. Malicious actors used Vzwpix to target potential audiences in a range of sectors throughout the last week. 

According to Cofense PDC, the message received by the users were all in plain text and without any formatting or pictures. It leads to a new voicemail and employs a monetary enticement via ACH transfers.

The link is provided as plain text, informing users of where they will be redirected. It was smart enough to avoid the first assessment from the secure email gateway (SEG) by employing a valid survey application; nevertheless, certain SEGs would've been able to verify the content of the survey via link click. 

The cyber attackers employed Alchemer, a survey form generator that makes it very convenient to design a survey form for users to answer. 

Further research shows that the survey is erroneously designed as a OneDrive login page, although most of the consumers were probably able to assume that this isn't a genuine Microsoft OneDrive login page. 

The continue button is likewise off to the side, giving the impression that the site wasn't intended to be read with a PC web browser. 

While using it from a smartphone, the form layouts are noticeably different. The modified phishing page is displayed within a white box, as well as the button is placed between the entry fields. 

Utilizing Cofense Vision, Researchers were easily able to detect several individuals who received a similar email at their organization. Even though each email originated from the very same phone number, the message IDs were all unique. All the message IDs were indeed associated with the Verizon phone number which sent messages. Each message ID correlates to a separate group of recipients which was listed in the email's "To" address section. 

In the analysis, every group appeared to have a minimum of 10 email accounts, comprising PDC customers and other external domains as well. After excluding the unique domains, researchers were able to ascertain that 50% of all recipients worked in the food production industry. 

The PDC client in these groups worked in the manufacturing industry, however, one of the major subsidiaries in the food manufacturing industry. Another 25% of the targeted domains are in the supply chain and media industries.


from E Hacking News - Latest Hacker News and IT Security News https://ift.tt/3mRGesq

Comments