Security company McAfee has reported observing a phishing scam which uses a fake voicemail message to lure victims into entering their Office 365 email credentials into a phishing page.
How The Attack Works
According to McAfee’s blog, the first step in the phishing scam is the victim being sent an email informing them that they have missed a phone call. The email includes a request to login to their account to access their voicemail.
The email message actually contains an HTML attachment which, when loaded, re-directs the victim to a phishing website. Although there are slightly different versions of the attachment, the most recent examples are reported to contain an audio recording which is designed to make the victim believe they are listening to the beginning of a legitimate voicemail.
Once re-directed to the bogus Microsoft account login page, the victim will see that their email address has already been loaded in the login field, thereby helping to create the illusion that this is their real Microsoft login page.
If the victim enters their password, the deception continues as they are shown a page saying that their login has been successful, and they are being re-directed to the home page.
Three Different Phishing Kits
Cybercriminals frequently buy-in phishing kits to launch their attacks. These are collections of software tools, created by professional phishers, that can be purchased and downloaded as a set. These phishing kits make it much easier for those with limited technical and coding skills or phishing experience to launch a phishing attack.
McAfee reports that as many as three different phishing kits are being used to make the fake websites involved in this scam. These are:
- Voicemail Scmpage 2019 – being sold on an ICQ channel, and used to harvest your email, password, IP Address and location details.
- Office 365 Information Hollar – similar to Voicemail Scmpage 2019 and used to harvest the same data.
- A third unnamed kit, which McAfee says is the most prevalent malicious page they have observed in the tracking of this particular campaign. McAfee says that this kit appears to use code from 2017 malicious kit that was used to target Adobe users.
File Names For The Attachments
To help you spot this phishing attack McAfee has listed list the file names for attachments in the phishing email as being:
- 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
- 14-August-2019.html [Format: DD-Month-YYYY.html]
- Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
- Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]
What Does This Mean For Your Business?
Reports indicate that this phishing attack has proved quite successful up until now, partly because the pages and steps appear authentic (and load the users email address as real login page does), and it uses social engineering and urgency (with audio) in a way that may prompt may people to suspend their critical faculty long enough complete the few short actions that it takes to give their details away.
The advice to businesses is, therefore, to be vigilant and to not open emails from unfamiliar sources or with unfamiliar attachments. You may also want to use Two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.
There is also a strong argument for not using the same password for multiple platforms and websites (password sharing). This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.
Keeping anti-virus and software patches up to date and making sure that staff receive training and education about cybersecurity risks and what procedures should be followed if suspicious emails or other messages are spotted can also help companies to maintain good levels of cybersecurity.