Cybersecurity researchers recently discovered an incredibly simple phishing campaign that appears to be working exceptionally well.
In a blog post, Cofense experts described a recently discovered phishing campaign in which threat actors impersonate an auto insurance company. The body of the emails is short and to the point, and does not distribute anything particularly malicious. In fact, in many cases, it carried a Google ad link, which is probably why it managed to bypass secure email gateways (SEGs) and reach people's inboxes in the first place.
In the email, victims are told they are eligible to receive up to 10% of their car's last value annually. What's more, if they owned the car for several years, they are also entitled to all previous payments. Given the current economic situation around the world, the promise of money is more interesting than ever, the researchers added.
Hijacking a legitimate website
For more information, victims are offered a link to blawx.[.]com website. This site used to be legitimate in the past, but it has most likely recently been compromised and repurposed for this campaign. This site claims to offer downloadable “instructions” on how to claim funds, but the downloaded file is just a JavaScript that later deploys the NetSupport Remote Access Trojan (RAT) to the device.
NetSupport Manager, from which RAT was created, is a genuine application designed for remote access and used by helpdesk technicians for more than 20 years. Meanwhile, it was hijacked and misused by hackers who use it to gain unauthorized access to target endpoints.
We don't know how many people were attacked, nor how many fell into the trap, but Cofense described the campaign as “relatively small.”