Spam and phishing mail

Phishing in the clouds

Recently the security of public cloud services has been a major topic of discussion on the Internet. While service providers assure us that there’s nothing safer than the ‘cloud’, security companies have already managed to discover various kinds of threats in the cloud.

In the meantime, spammers are managing to keep up and have started making more active use of free remote resources. For instance, we recently came across the following phishing messages for harvesting email passwords:

A particularly attentive user will quickly recognize them as fakes due to a number of formal attributes:

– impersonal address;
– while the ‘From’ field contains one domain, the link in the letter body leads to another;
– typos (“Clickhere” written as a single word);
– impersonal signature (“System Administrator center”);
– threats to close the account if the user does not follow the link within a certain period of time –
a typical phishing ploy.

Even more interesting is the fact that the link leads to a phishing page, which is not located at a normal address but at – a free service for creating spreadsheets on remote Google servers. The user is asked to fill in a form which includes fields such as ‘Email Address’ and ‘Password’. If users click the ‘Submit’ button, they send the data directly to the phishers.

This service provides cybercriminals with free space to place their fake pages. Even worse, this sort of page will appear to be quite genuine to unsuspecting users: first, it is located at a well-known resource, and, secondly, the connection is made via https, which supports encryption.

Of course, I clicked on ‘Report Abuse’ where some (but not all) of these types of pages have already been closed. This, however, is not the solution to the problem on a global level: cybercriminals are certain to continue using cloud services, which are ideal for their activities.

So, once again, I would like to urge users to be very careful and not to click on suspicious links.

Phishing in the clouds

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox