Spam and phishing mail

Phishers are lovin’ McDonald’s

Today we came across a new, very sophisticated type of phishing. The user receives a message that, at first glance, appears to be from McDonald’s. It states that the recipient has won the chance to participate in a survey and immediately receive remuneration of $80 for doing so.

There is nothing to suggest that something fishy is going on: the user follows the link, finds himself on a page with a customer satisfaction survey form, takes the survey and clicks on a button…

… after which he is redirected to another form where all he has to do is to write the number of his credit card, expiry date and cvv code in order to receive the $80. Of course, instead of receiving any money the user’s account is likely to be cleaned out by the criminals behind the scam.

Interestingly, the address in the “From” field is Please note the additional “s” in the domain name: creating addresses which differ from the authentic ones by just one letter is a common trick.

To circumvent filters and denylists the cybercriminals resorted to infected websites: the user follows the link contained in the message and first finds himself on a web page which only contained a short javascript code that redirects the user to the cybercriminals’ main site.

It stands to reason that the so-called survey was merely a ruse to trick unsuspecting users. The main page in the scam is the last one, where the user sends his credit card number to the fraudsters before being redirected to the official McDonald’s website.

Be careful, this scam is currently active! Do not follow links in spam emails! You can always check the official site of the company in question if you have any doubts whatsoever about the authenticity of any offers.

Phishers are lovin’ McDonald’s

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox