Threat Summary

New phishing campaigns are targeting mobile devices to deliver fraudulent courier delivery notifications to potential victims. While many organizations secure email and Microsoft Office applications directly within mobile phones, SMS threats are typically out of scope for many security teams, letting attackers exploit the lapse in coverage to leverage both consumer and business credentials. WMC Global's Threat Intelligence Team is currently tracking an increase in SMS-based courier scams in the United Kingdom. By the end of March over 5000 phishing URLs had been collected targeting Hermes alone. Targeted couriers are Hermes, DPD, and Royal Mail, with Hermes seeing a notable increase in distribution.

SuMMARY

Phishing campaigns continue to utilize the disruption of the pandemic to target victims, and a new campaign takes advantage of Zoom's rising popularity. Since December, the "Compact" Campaign has been targeting thousands of users by impersonating a Zoom invite and is estimated to have collected over 400,000 Outlook Web Access and Office 365 credentials. This campaign is unique in its use of trusted domains to ensure delivery of phishing emails and preventing phishing pages from being blocked. This is especially worrisome for organizations who will struggle to defend against this attack.

Phishers are well known for identifying and exploiting security weaknesses. Many email and security teams are becoming more effective at blocking attacks, but phishers are targeting new gaps in remote workforce and SMS phishing detection. Specifically, threat actors are increasing the delivery of phishing campaigns via text message to avoid email vendor protections to deliver phishing directly to victims. 

The current biggest threat to the UK banking industry has just added a new target. 

Phishing attacks have been on the rise in recent years, and 2020 in particular has seen a stark increase in phishing incidents since the start of the pandemic in January[i]. Tech companies and banks are the most commonly impersonated companies in phishing scams, which steal their victims credentials and other sensitive data and send them to the scammer[ii]. 

Many detection engines crawl websites and follow links to determine whether a website is malicious or masquerading as another. The difficulty threat actors face combatting these advanced technologies is that their phishing websites must bypass the detection engine, while simultaneously gaining a victim’s trust by displaying images and themes that mimic the targeted website.

Threat actors target a range of services often either due to credential resale value or to target higher value accounts in credential stuffing campaigns. Last month, WMC Global tracked three unique Netflix-branded phishing campaigns that resulted in over 390,000 unique URLs (Figure 1). These campaigns were solely distributed via text messages (SMS) to US mobile numbers. WMC Global’s analysis in the campaigns provides unparalleled visibility into Netflix-branded phishing attacks.

At WMC Global, we analyze hundreds of phishing kits every week, which use a range of lures to steal credentials from victims, and we examine the exfiltration mechanisms used by threat actors to harvest stolen credentials from victims. The majority of phishing kits use a simple email exfiltration method to send victims’ data—compromised credentials—to a mailbox owned by the threat actor; the second most common method of exfiltration was writing the stolen data to a file stored on the website host. Though there are many exfiltration methods available to threat actors, our analysis found email and file write exfiltration to be amongst the most common.