Threat actors continue using COVID-19 narratives to entice recipients to click links that lead to credential harvesting forms.
In January, email security company INKY detected two separate credential harvesting operations that abused Campaign Monitor and Mailchimp.
In the Campaign Monitor case, an attack started with a malicious email sent from a hijacked account.
"All individuals can now apply for the 2022 individual assistance program through the COVID-19 Benefits Program. This is to support everyone and all employees in the new year due to the impact of the COVID-19 pandemic," a phishing email reads. It further states that the program will provide cash assistance of up to $5,000 and has an application submission form.
The program was, of course, non-existent. "But employees under stress from trying to work for more than two years under the threat of COVID-19 might have been ready to believe anyone who offered an end to the storm or at least a silver lining," INKY noted.
If the recipient clicked on the highlighted blue "Individual Assistance Program" link, they were taken to a credential harvesting form hosted on Campaign Monitor's domain. When an INKY engineer entered fake credentials into the form, they got a fake "Access Denied!" error. Although they were counterfeit, the login credentials were sent to the threat actors behind the scam anyway.
In the Mailchimp case, the phishing email came from an abused hotmail[.]com address and claimed to be from "Chief Human Resources Officer."
"As COVID-19 presents new challenges and more people are vaccinated, COVID-19 guidelines continue to evolve. As many emerging COVID-19 guidelines rely on vaccination rates, we believe that knowing the vaccination status of our employees is necessary for us to effectively evaluate and revise our COVID-19 policies. We are collecting this information in a very brief vaccination status survey," the email reads.
Recipients were invited to click on a blue highlighted "VACCINATION SURVEY ID" link. They would then be taken to a real Mailchimp survey created by a bad actor. The survey acted as a cleverly disguised credential harvesting form. Toward the bottom, the survey asked the victim to enter "Employee Email," and the last box appeared below instructions to "Enter your password correctly to ensure successful Identification."
Victims who entered their real email credentials into the form had them scooped up by the bad actors. Alert recipients might have noticed phishing tell: the password, when entered, wasn't concealed.
How to spot phishing:
* If you are asked to provide a password to sign up for benefits or confirm information, then it's a scam. Never type credentials into a form unless it's a login to the real email system. Call IT if there's any doubt.
* Never supply any personal information, especially passwords, to anyone via a third-party resource.
* Do not give out personal, medical, or financial information to anyone claiming to offer money or gifts in exchange for participation in a COVID-19 survey.
* Double-check the sender's email address. An actual human resources department will not send an email to employees from a freemail account.
More from CyberNews:
Subscribe to our newsletter