McAfee: Malicious Voicemails Target Office365 UsersScammers Include Fake Audio in Attempt to Steal Credentials
Cybercriminals are targeting users of Microsoft’s Office365 subscription services with phishing campaigns that uses fake voicemail messages in an attempt to steal victims' credentials and other information, according to researchers at the security firm McAfee.
In a report released Thursday, the researchers say they discovered three phishing kits being used in the campaign, which was first detected in early August. What stood out was the use of audio in email attachments claiming to be voicemail as a way to lure users into exposing their information, says Oliver Devane, a senior security researcher at McAfee.
"This is unusual and this is what caught our attention," Devane tells Information Security Media Group. "We have not observed phishing emails using audio in the past. We believe that this is the work of three different groups using the same tactic. Most likely they are copying each other as they found the tactic to be useful."
The scam uncovered by McAfee echo similar campaigns from earlier this year.
For example, in January, Edgewave - which was recently bought by GoSecure - reported on a phishing campaign that sent emails to victims indicating that they had missed a voice call. The campaign used an EML attachment - essentially an email within an email - that appeared to be a received voicemail in Outlook. When the user clicked on the EML attachment, they were redirected to the phishing site.
The malicious campaign that Edgeware found, however, did not use audio as part of the scams, researchers say
Fake Voicemail Messages
In the campaign that McAfee detected, the victim initially receives a phishing email saying they missed a voice call and are instructed to log into their account to get the message, according to the report.
Contained within the phishing email is an attached HTML file. When the user loads the file, they are redirected to the phishing website, McAfee finds. There are some variations to the attachments, but the more recent ones contain an audio recording. This can give the user the impression that what they’re hearing is the beginning of a real voice message, according to the report.
"What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link," the report says. "This gives the attacker the upper hand in the social engineering side of this campaign."
When the victim is redirected to the phishing site, they’re asked to log into their account.
"The email address is prepopulated when the website is loaded; this is another trick to reinforce the victim’s belief that the site is legitimate," the McAfee report says.
Once the victim puts in credentials, the victim sees a page that tells them the login was successful and they are redirected to the office.com login page.
McAfee found various filenames being used for the HTML attachments:
- 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
- 14-August-2019.html [Format: DD-Month-YYYY.html]
- Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
- Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]
Three Phishing Kits
The three phishing kits used in the campaign were extremely similar except for slight differences in the HTML code generated and parameters accepted by the PHP script, according to McAfee.
One named "Voicemail Scmpage 2019" is advertised by the creator on social media. With this kit, a license key is checked before the phishing site is loaded, the researchers found. A data.txt file is created on the compromised website containing a list of visitors and information such as their IP addresses, web browsers and the date. Other information stolen includes emails, passwords and locations, according to the McAfee report.
Another similar kit is called "Office365 Information Hollar" collects the same information
The third phishing kit, which is unnamed, uses code from an earlier kit that targeted Adobe users in 2017, McAfee researchers write.
"It is possible that the original author from 2017 has modified this kit, or perhaps more likely the old code has been re-used by a new group," the report says. "This kit also harvests the same data as the previous two. The 'unnamed kit' is the most prevalent malicious page we have observed while tracking these voicemail phishing campaigns."
An Array of Targets
The bad actors involved in the campaigns targeted a broad range of victims and industries. The researchers note that there was evidence that several "high-profile" companies were in the cybercriminals' crosshairs and that employees ranging from middle management to executives were targeted. The report does not quantify how much data may have been stolen so far.
The wide-ranging approach used by the bad actors wasn't unusual, McAfee's Devane says.
"From what we have observed in other campaigns, this is normal,” Devane says. "The malicious actors are most likely making use of a large email list or database, which contains scraped email addresses. … We have not noticed any specific regions being targeted, but the phishing emails are authored in English, which expands the reach of the campaigns."
The campaign highlights the need for users to be careful about opening attachments in emails, particularly those from unknown people.
The threats can snowball, the report says. Not only are the cybercriminals looking for as many credentials as possible, but that information can lead to other dangers, including "the possibility of impersonation of staff, which could be very damaging to the company," according to the report. "The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks."
As a result, the McAfee researchers warn against using the same password for different services and calls for changing passwords if the user suspects they have been compromised. They also advise enterprises to use two-factor authentication and block .html and .htm attachments at the email gateway to ensure such attacks don't reach the users.