Attackers have deployed a phishing campaign against remote workers using Skype, luring them with emails that fake notifications from the service.
The social engineering in this campaign is refined enough to make victims access the fraudulent login page and provide their credentials.
Google-managed gTLD for landing page
The phishing attack slipped through the defenses of a couple of email protection services and was discovered by Cofense cybersecurity company.
While the notification messages appear to originate from the Skype service with a legitimate-looking email address (“67519-81987@skype.[REDACTED EMAIL]”), the sender is actually an external compromised account.
“Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend” – Cofense
A pending notification from a service is common enough for users to take the bait and click on the link that shows them the missed message.
The link to the phishing page and the template itself were carefully created to add to the deception. There is an initial redirect via a link in the .APP generic top-level domain (gTLD) that is managed by Google.
After that, the fake Skype login page loads at (“hxxps://skype-online0345[.]web[.]app”). The use of the .APP gTLD is likely helping the attacker bypass available phishing protection since it’s intended for app development by companies, support services, and professionals and requires an HTTPS connection.
Login page has “authenticity seal”
The level of impersonation in the template is also interesting as the attacker clearly put in some effort to make it look legitimate.
A logo of the victim’s company is present on the phishing page along with a warning under the login box saying “the system is for the use of authorized users” of the company.
Furthermore, the username is automatically filled in, which only helps clear any suspicion. All the victim has to do is type in their password and the attacker gets it automatically.
As companies abide by the restrictions imposed due to the Covid-19 pandemic, remote workers are prime targets for attackers to breach a business. And there is no shortage of remote workers these days or video collaboration platforms they log into for work.
Protecting against phishing is possible with little effort. Not clicking on links in email and typing yourself the legitimate login address in the browser bar is the best option to stay safe from this sort of threat.
Content Source: Read More