Spam and phishing mail

Phishing in the clouds

Recently the security of public cloud services has been a major topic of discussion on the Internet. While service providers assure us that there’s nothing safer than the ‘cloud’, security companies have already managed to discover various kinds of threats in the cloud.

In the meantime, spammers are managing to keep up and have started making more active use of free remote resources. For instance, we recently came across the following phishing messages for harvesting email passwords:

A particularly attentive user will quickly recognize them as fakes due to a number of formal attributes:

– impersonal address;
– while the ‘From’ field contains one domain, the link in the letter body leads to another;
– typos (“Clickhere” written as a single word);
– impersonal signature (“System Administrator center”);
– threats to close the account if the user does not follow the link within a certain period of time –
a typical phishing ploy.

Even more interesting is the fact that the link leads to a phishing page, which is not located at a normal address but at spreadsheets.google.docs – a free service for creating spreadsheets on remote Google servers. The user is asked to fill in a form which includes fields such as ‘Email Address’ and ‘Password’. If users click the ‘Submit’ button, they send the data directly to the phishers.

This service provides cybercriminals with free space to place their fake pages. Even worse, this sort of page will appear to be quite genuine to unsuspecting users: first, it is located at a well-known resource, and, secondly, the connection is made via https, which supports encryption.

Of course, I clicked on ‘Report Abuse’ where some (but not all) of these types of pages have already been closed. This, however, is not the solution to the problem on a global level: cybercriminals are certain to continue using cloud services, which are ideal for their activities.

So, once again, I would like to urge users to be very careful and not to click on suspicious links.

Phishing in the clouds

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox