Check Point researchers have discovered a new phishing scam
campaign distributing unauthorized URLs by exploiting Google Docs, with the aim
of stealing victims' cryptocurrency credentials.
Cofense observed that the phishing emails originated from
compromised email accounts with privileged access to financial services
provider CIM Finance to host their phishing emails, the criminals ensuring that
their messages could pass popular email security checks including DKIM and SPF.
The researchers wrote that using a legitimate site makes it easier for
attackers to make their phishing attempts successful as it does not raise
suspicion. In the attacks analyzed by the Check Point team, hackers sent links
that redirected to fake cryptocurrency sites.
This attack occurs by creating a Google document that is
directly sent to the user via email from this address: NO-REPLY@GOOGLE.COM.
When the user clicks on the link included in the email, they are redirected to
a legitimate Google Docs page, which is supposed to be a OneDrive clone page,
and that is where the user is tricked and forced to visit a fake cryptocurrency
page. Google was notified of these findings on July 5, 2023.
Phishers create a fake Microsoft Office 365 login page. This
page distinguishes itself from the legitimate Microsoft login page by
capitalizing almost half of the words and sometimes replacing letters with
asterisks. The phishing page also displays users' credentials in plain text
when they type these details into the form's input fields.
These attacks highlight the need for organizations to
strengthen their email security. One way they can do this is by raising their
workforce's awareness of some of the most popular phishing attacks circulating
today.
0 Comments