Spam and phishing mail

Phishers are lovin’ McDonald’s

Today we came across a new, very sophisticated type of phishing. The user receives a message that, at first glance, appears to be from McDonald’s. It states that the recipient has won the chance to participate in a survey and immediately receive remuneration of $80 for doing so.

There is nothing to suggest that something fishy is going on: the user follows the link, finds himself on a page with a customer satisfaction survey form, takes the survey and clicks on a button…

… after which he is redirected to another form where all he has to do is to write the number of his credit card, expiry date and cvv code in order to receive the $80. Of course, instead of receiving any money the user’s account is likely to be cleaned out by the criminals behind the scam.

Interestingly, the address in the “From” field is mcdonalds@mcdonaldss.com. Please note the additional “s” in the domain name: creating addresses which differ from the authentic ones by just one letter is a common trick.

To circumvent filters and denylists the cybercriminals resorted to infected websites: the user follows the link contained in the message and first finds himself on a web page which only contained a short javascript code that redirects the user to the cybercriminals’ main site.

It stands to reason that the so-called survey was merely a ruse to trick unsuspecting users. The main page in the scam is the last one, where the user sends his credit card number to the fraudsters before being redirected to the official McDonald’s website.

Be careful, this scam is currently active! Do not follow links in spam emails! You can always check the official site of the company in question if you have any doubts whatsoever about the authenticity of any offers.

Phishers are lovin’ McDonald’s

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox