Cyber criminals commandeering email marketing services to send lures to customers
Customers of a fast-food chain were recently hit by phishing lures and malicious links that redirected them to . A breach of the restaurant’s email marketing service allowed cyber criminals to commandeer the company’s email marketing efforts.
The researchers found 121 phishing emails sent from the compromised Mailgun account sent between July 13 and July 16. Those attacks included two vishing attacks (malicious voicemail message attachments), 14 impersonated banks to harvest financial data and the remaining 105 emails attempted to redirect users to a spoofed Microsoft site that attempted to steal credentials.
The attacks leveraged the breached email marketing accounts in a similar way to Nobelium’s attack on email marketing service in May 2021. In that instance, the group breached Constant Contact‘s systems and took over the accounts of their customers. While there is no evidence to suggest the same actors are involved in these attacks, it appears to be a case of copying a successful attack vector used by Nobelium. Despite this, Nobelium have been busy during 2021 and it is no surprise their attacks are being mimicked by other cyber criminals out there.
The group were credited with the SolarWinds attack, that impacted on the U.S. government as well as a number of other organisations, and by late June, Nobelium were reported by the Microsoft Threat Intelligence Center to be behind brute force and password-spray attacks on Microsoft corporate networks as part of ongoing efforts to gain a foothold in businesses.
Their efforts are part of a larger increase in Microsoft login phishing-based attacks over the last 18 months, with 45% of all phishing attacks in 2020 aimed at swiping Microsoft credentials, primarily because of their value. Microsoft account credentials can lead to all kinds of interesting data, including other logins, trade secrets, financial details, and other intelligence.
Neuways advises users to treat every email they receive from users they do not recognise or are not expecting with extreme caution. It is possible that even if you recognise the email address, as is the case for this attack, that the sender is not legitimate. If the email urges you to click open a hyperlink or an attachment, it could well be that the sender is a cyber criminal. In opening and entering any information you could be handing nefarious criminals access to your business.