PepsiCo mimicked by phishing fraudsters

If you happen to run a small business and find an email in your inbox from the $86 billion soft drinks giant claiming that it wants to trade with you — think twice before you click.

That’s the word of warning from online scam spotter INKY, in its latest research findings released today. The cybersecurity analyst says that it has detected “bad actors impersonating PepsiCo in a phishing campaign that infects victims’ computers with malware.”

“As usual, it all starts with a phishing email,” said INKY. “In this case, the phishers are impersonating the PepsiCo brand, pretending to be potential clients. They are claiming to need what the recipient sells and they’re asking them to submit a quote for PepsiCo to review.”

What the potential victim doesn’t know is that the ‘quote request form’ attached to the email contains a malicious link that, if clicked on, allows the threat actor behind it to wreak havoc with the target’s systems.

This includes surveilling user behavior with keystroke monitoring, screenshot captures, webcam recordings, and other spyware; deleting, downloading, manipulating, and stealing files; gaining admin privileges and disabling user account control; and installing malware, ransomware, and other viruses.

Fake email purports to be from PepsiCo but is a scam
Fake email purports to be from PepsiCo but is a scam

How they trick their victims

The campaign is a combination of the clever and not-so-clever. Impersonating a email address and even appending the name of a legitimate company employee falls under the first category — but describing said worker as an “execution manager” slots neatly into the latter.

What this highlights is that, as crafty as they are, phishing emails nearly always have telltale signs or flaws in their composition that can act as a giveaway.

“As mentioned, the sender’s email address was spoofed,” said INKY. “What shows is [email protected] and the sender’s display name uses that of an actual PepsiCo employee who is responsible for procurement management.”

However, towards the bottom half of the phishing message scrutinized by INKY, “things start to get a little sloppier.” Bullet points are misaligned, even the core name of the company being spoofed is spelled with a lowercase “c” instead of a capital.

English as a second language starts to become more evident too, as many — though by no means all — cybercriminals come from countries outside the US, UK, and other so-called Anglosaxon countries.

“While it was clever of the phishers to sign the email with the name of an actual PepsiCo employee who works in procurement, they gave him the title of ‘Execution Professional,’ which sounds pretty grim,” said INKY.

And while the scammers were thoughtful enough to incorporate the genuine PepsiCo logo into their pretend emails, the appended telephone number contains one digit too many to be a working US landline.

Why PepsiCo?

“With phishing emails, it’s important to choose a brand that prompts readers to act,” said INKY. “PepsiCo’s product portfolio boasts more than 500 different brands, including its flagship Pepsi product. With 291,000 employees located all over the world, PepsiCo is a global powerhouse.”

And because it isn’t unheard of for large corporations to seek out smaller firms for contract work, the ruse is all the more believable. As always, you should independently verify any unsolicited emails by running your own browser searches and checks.

In its closing remarks, INKY apparently couldn’t resist having a pop at its competitors — although its basis for taking a shot at them does warrant mentioning.

INKY claims that it shared the bogus PepsiCo email with other security vendors on the virustotal website, to see if they, too, would recognize it as a malicious trojan.

“After uploading it to virustotal, we found that fewer than half — 22 out of 56 — found it to be problematic,” said INKY. “The others let it slip by. To us, that speaks volumes about the need for a strong and proven email security partner.”