Researchers have identified a phishing campaign that leverages three different malicious kits to target high-profile companies with fake notifications of voicemail messages.
“You Have 1 New Scam Message”
McAfee Labs found that the attack began when a user received an email informing them that they had missed a phone call. The attack email, which claimed to originate from Microsoft, provided numerous details about the fabricated call. That data included a fake incoming phone number, date received, duration of the call and reference number for the message.
Additionally, the email contained an HTML file attachment that redirected users to a phishing site. Some of those emails observed went a step further and used an arbitrary audio file to trick the recipient into believing that they were listening to the beginning of a voicemail message. Researchers noted that such a tactic lent an even greater sense of legitimacy to the phishers’ attack emails:
What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign.
Upon redirection, the campaign leveraged a fake login page to trick users into supplying their Microsoft credentials. It then displayed a bogus verification page before finishing off with a redirection to Microsoft’s actual login portal.
The Phishing Three Kits Unmasked by a Deeper Diver
Analysis of the campaign didn’t end there. By taking a close look at the generated HTML code and the parameters accepted by the PHP script, researchers observed that three phishing kits had been responsible for creating the campaign’s attack emails. They identified these packages as the following:
Voicemail Scmpage 2019: Researchers at the security firm found that Voicemail Scmpage 2019 (no misspellings) worked by checking the license key before loading the phishing website. Offered on an ICQ channel and advertised on social media, the kit then created a file called “data.txt” containing a list of visitors and their system information on a compromised website. The kit finally sent over users’ stolen email addresses, passwords, IP addresses and location data to the attackers via email.
Office 365 Information Hollar: This kit behaved similarly to Voicemail Scmpage 2019.
Unnamed: Though it didn’t have an identifiable name, the third and final phishing kit attracted McAfee’s attention for being the most widely used in this campaign and for reusing code from another malicious kit that targeted Adobe users back in 2017. Responding to these observations, the security firm speculated that the creators of the Adobe kit had used their original code to build this new package. It also didn’t rule out the possibility that an entirely new group had created the kit.
The Growing Risk of Fake Voicemail Scams
This isn’t the first time that phishers have leveraged fake voicemail scam messages to prey upon unsuspecting users. In the beginning of November, for instance, AppRiver shared four separate examples of these types of attacks that it’s seen in the wild. AppRiver researchers even documented one case that mirrored the campaign observed by McAfee by targeting users’ Office 365 credentials.
Acknowledging the prevalence of these attacks, it’s important that organizations take steps to bolster their email security. They can do this by investing in a solution that analyzes incoming email messages based upon their campaign patterns, IP addresses, URLs and other indicators. To optimize its effectiveness, this solution should be also able to conduct such analysis in real-time while allowing benign email messages to reach their intended destination.