### #PhishingScams #EmploymentFraud #SocialEngineering
Summary: A new phishing campaign exploits fears of job loss by sending emails that falsely claim recipients have been terminated, leading them to download malware. This tactic preys on economic anxieties and targets various sectors, aiming to steal sensitive information.
Threat Actor: Unknown | unknown
Victim: Various sectors | various sectors
Key Point :
- The phishing emails use alarming subject lines and official-looking documents to trick recipients into clicking malicious links.
- Malware is delivered through a fake Microsoft site, specifically targeting Windows users to execute a Visual Basic script that downloads additional malware.
- Cloudflare has observed this campaign affecting multiple industries, indicating a financially motivated threat actor behind the attacks.
- The attack highlights the evolving tactics of cybercriminals, who may shift their methods to different platforms in the future.
A current phishing campaign scares recipients into believing they’ve been sacked, when in reality they’ve been hacked – and infected with infostealers and other malware that means a payday for the crooks behind the scam.
The attack begins with an email that appears to be a legal notice informing recipients their employment has been terminated
While it’s not unusual for scammers to play on people’s fears – natural disasters, the COVID-19 pandemic (back in 2020), elections or other hot-button topics frequently appear as phishing lures – baiting people into clicking a malicious link because they think they’ve been canned “is brutal,” said Blake Darché, head of Cloudforce One and threat intelligence at Cloudflare.
“This is this time of year when the economy slows down, and threat actors are preying on that,” he told The Register.
Darché told us his team has seen 14 of its customers targeted by this emerging phishing campaign across sectors including aerospace, insurance, state government, consumer electronics, travel, and education.
The phishes have come from four different email addresses. Cloudflare hasn’t attributed the attack but assumes the four handles are controlled by a single actor.
“Based on what we’ve seen, it does appear to be a financially motivated actor,” Darché observed. “They are trying to get information off hosts, log into accounts, information stealing.”
In one of these scams intercepted by Cloudflare, the email uses the subject line “Action Required: Tribunal Proceedings Against You”, and includes the UK coat of arms plus a case number for the nation’s Employment Tribunal.
“This document is extremely urgent and requires your immediate action,” the email warns. “Failure to comply with the instructions may result in serious legal consequences.”
Recipients are also encouraged to press a “Download Document Now” button to access relevant information.
The link, of course, does not lead to any official Tribunal documents. Instead, it opens a fake Microsoft website laced with malware.
The scam only works on Windows machines. If the recipient tries to click the link on a Mac or iPhone, they see a banner across the top that reads: “This file cannot be opened on this device. Access it on a Windows device to view the document.”
In addition to using Microsoft’s logo and brand to appear legitimate, this Redmond-centric attack helps the attacker bypass security controls because the victim must retrieve the malware-laden file through more indirect means – it’s not sent directly via email.
The phony court document is a RAR archive that contains a malicious Visual Basic script named “Processo Trabalhista.vbs” or “Labor Lawsuit.vbs.” When executed, it downloads a Base64 encoded text file (file4.txt), saves it on the now-infected system, and then executes additional malware.
In at least one instance detected by Cloudflare, this included Ponteiro malware [PDF] – a banking trojan that steals credentials from financial websites.
“Threat actors are eager to try to drive engagement, and they’re always iterating on how to do that,” Darché explained, adding that just because they are using email for this social engineering scam right now doesn’t mean they won’t pivot at some point in the future.
“They might use another service, like LinkedIn or Facebook, to drive their objectives,” he said. That objective is making money. “And they are always eager to take advantage of people.” ®
Source: https://www.theregister.com/2024/11/28/fired_phishing_campaign_cloudflare