There’s no evidence that the massive power blackout in Spain and Portugal was caused by any sort of cyberattack. But the incident certainly sparked a wave of phishing attacks.
Red Electrica, the Spanish grid operator, has already ruled out a cyberattack as the source of a massive power outage that paralyzed Spain and Portugal on Monday, even though investigations are still taking place, and the exact reason behind the blackout remains unclear.
The power – and ordinary life – is mostly back on in both countries now, but confusion indeed reigned on the day of the outage. Cyber crooks attempted to exploit it, cybersecurity firm Cofense says.
In a blog post, the company details an email campaign spoofing TAP Air Portugal, the Portuguese national airline.
According to Cofense, this particular campaign attempted to take advantage of a headline about Monday’s power outage. The emails were received while the power outage was ongoing.
The link embedded in the email directs to a credential phishing page designed to steal victims' personally identifiable information (PII) and credit card details.
The campaign appears to target both Portuguese-speaking and Spanish-speaking victims with two separate email subject lines: “Atualização de compensação: atraso em seu voo recente” meaning “Compensation Update: Delay on your recent flight” and “Compensación por su vuelo: Complete su solicitud ahora” meaning “Compensation for your flight: Complete your application now.”
The lines are mimicking TAP Air Portugal's official communication that informs the victim that they may be eligible for a refund due to the European Union’s “Air Passengers Rights Regulation.”
The email recipients are told that the compensation will allegedly be directly transferred to their account within two working days and are prompted to fill out a form. The giveaway, of course, is the fact that the spoofed form asks for credit card details.
Victims are also given another chance to enter sensitive information and credit card details on the credential phishing page under the guise of refunds for delayed and cancelled flights.
“Upon clicking the submit button, there is no further redirect page which suggests that the threat actor’s objective is simply to harvest the submitted data. The domains used in this campaign appear to be compromised WordPress sites,” said Cofense.
Brand phishing is very common these days, and just like in this case, the criminals are always keen to exploit emergencies. That’s when desperate people are more likely to trust fake promises to help.
Your email address will not be published. Required fields are markedmarked