Level 52
Content Creator
Malware Hunter
Author: Trend Micro Cyber Safety Solutions Team

While most phishing campaigns are fairly simplistic in nature and easy to spot (they usually involve a legitimate-looking email, often with a malicious attachment or link embedded in the text), a spam campaign we observed in September indicates attackers are angling towards a more sophisticated form of phishing. The campaign uses hijacked email accounts to send malware as part of or as a response to an existing email thread. Because it’s part of a legitimate and on-going conversation, this particular approach can often be tricky and difficult to detect. Often, the victim may not realize that they’ve been a victim of a cyberattack until it’s too late.

These attacks are very similar to an earlier URSNIF/GOZI spam campaign discovered by Talos earlier this year earlier this year that uses hijacked computers that are part of the Dark Cloud botnet to send emails to existing conversations, and can possibly be a continuation or evolution of said attacks.

From all the data gathered so far, we discovered that this campaign is mostly affecting North America and Europe, although we also found similar attacks in Asia and the Latin American region.

Organizations in the education, financial, and energy sector make up most of the targets of the scam. However, the attack also affects other industries, including real estate, transportation, manufacturing, and government.
Read: Phishing Campaign uses Hijacked Emails to Deliver URSNIF by Replying to Ongoing Threads - TrendLabs Security Intelligence Blog
Last edited by a moderator: