Phishing Defense Center (PDC) specialists have just revealed the detection of a phishing campaign during which threat actors pretend to be Skype employees. As mentioned above, the social distancing policy has significantly increased the utilization of remote communication tools, so hackers have also increased attack campaigns against these services.
In this malicious campaign, hackers use an email address remarkably almost like the e-mail address of authentic Skype notifications. Hackers attempt to fake a telephone number and email address to convince the user that they’re being contacted by Skype staff members.
Although the sender’s address could seem legitimate, the particular sender are often found within the return path shown as “sent from”, which is additionally an external compromised account. Although there are some ways to take advantage of a compromised account, for this phishing campaign, the threat actor chose to use it to send even more phishing messages pretending to be a trusted colleague or friend.
It is actually quite common to receive emails about pending notifications for various services. Hackers expect users to calculate this, so they’ll take steps to look at notifications. thanks to the necessity to remain and get in touch with with their colleagues, users constantly check the notification button without identifying anomalous behavior.
When clicked “Review”, users are going to be redirected via an application link: hxxps://jhqvy[.] app[.] link/VAMhgP3Mi5
The attacker decided to use a .app top-level domain to host their attack. This TLD is backed by Google to assist app developers share their apps securely. One advantage of this top-level domain is that it requires HTTPS to attach thereto , adding security to both the user and therefore the developer. While this is often a useful feature, it also works for hackers.
The inclusion of HTTPS means adding a lock to the address bar, which most users are trained to trust. Because this phishing site is hosted through Google’s TLD .app, it displays a trusted icon on the location .
Clicking the link shows the user an impersonation of the Skype sign-in page. If a user conversant in cybersecurity topics inspects the URL, it’ll be noticeable that the URL contains the word Skype (hxxp://skype-online0345[.] web[.] app).
To add even more authenticity to the present scam, attackers add the recipient’s company logo to the login box, also as a “disclamer” at rock bottom that warns that this page is merely 2for authorized use” by company users, so it’s highly possible for targeted employees to fall under the trap.