Phishers impersonate Pfizer to harvest banking details and other credentials


Pfizer does not typically send out cold emails to solicit bids for projects. If you've received one, it's most probably a scam designed to harvest your banking details and other credentials.

When a well-known brand like Pfizer sends you an email requesting to bid, you might feel an urgency to reply. However, if you work in a sales department and do business with Pfizer (or, in a similar situation, any other company), you should get in touch with your contact directly and determine whether the RFQ (request-for-quotation) is legitimate.

Between August 15 and December 13, mail protection company INKY detected 410 phishing emails that impersonated pharmaceutical and biotechnology giant Pfizer's brand in a run of RFQ scams.

INKY noted that the black hats used both high and low tech to evade anti-phishing radar. The high tech involved newly created and freeware domains set up to send phishing emails that would not trigger rudimentary email defenses. The low tech was a simple PDF attachment with no malicious links or malware in either the attachment or the email itself. These elements were designed expressly not to trigger anti-phishing analysis.

The phishing emails themselves originated from a set of confusable domains: pfizer-nl[.]com, pfizer-bv[.]org, pfizerhtlinc[.]xyz, pfizertenders[.]xyz.

These domains, designed to look like they could be controlled by Pfizer, were all freshly created expressly for the scam and registered with Namecheap. This domain registrar accepts cryptocurrency as payment.

Phishers sent some Pfizer-impersonating emails from freemail accounts set up at Gmail, Outlook, and Ziggo.

Cybercriminals used the urgent language in the subject lines in these phishing emails: Request For Quotation, Pfizer Request For Quotation, RFQ URGENT, Invitation to Bid, among others. Threat actors actively exploit urgent language as it causes people to make ill-considered decisions.

Here is an example of an email requesting the recipient to bid. The equipment involved had a substantial monetary value, The email claimed that Pzifer was requesting quotes for various industrial engineering supplies, and both had PDF attachments that impersonated Pfizer.

Pfizer impersonation email

The PDF was three pages long (set out hereunder) and had a few inconsistencies (e.g., different due dates on different pages), but, in general, looked pretty good. The discussion of payment methods and terms set the recipient up for the idea that they would have to share banking details at some point. The analysis of email addresses suggests that at least one bad actor was based in Nigeria.

Although INKY was unable to follow this scam to its resolution (since it was designed to minimize a digital trail), they have seen evidence of two possible outcomes: either the threat actor harvested their banking details and other credentials through an email exchange or over the phone, or the scam runners took the merchandise, never paid for it, and resold it on the black market.

The US Department of Transportation, which reports seeing a pickup in precisely this type of scam, offers the following guidance:

1. Do not click on links or attachments from senders you do not recognize. Be especially wary of PDF files and .zip or other compressed or executable file types.

2. Do not provide sensitive personal or company information (i.e., usernames and passwords, company financial information, etc.) over email.


More from CyberNews:

The strangest devices Apple used to make

Online privacy trends for 2022: Cookie death, zero-copy integration, and AI-powered bossware

Meta (Facebook) bans seven surveillance-for-hire firms for malicious activity

Why Earth could soon have Saturn-like rings made of space junk

Popular British classifieds site Gumtree leaked users' locations

Log4j saga: the first patch is already being exploited

Subscribe to our newsletter