New Phishing Campaign Spoofed Skype to Steal Users' Credentials

Posted on April 24, 2020
PLEASE_READ_ME Ransomware Campaign Targeting MySQL Servers
A phishing campaign leveraged malicious emails to spoof video calling platform Skype in order to steal users' account credentials. Cofense observed that the campaign began with an attack email that appeared to originate from Skype. Specifically, the attackers crafted the sending email address to read as "67519-81987[@]skype.[REDACTED EMAIL]." But a closer look revealed that the attack email had actually originated from a compromised email address. The email itself masqueraded as an alert of 13 pending notifications awaiting the recipient. Cofense said that this technique was a clever move on the attackers' part. As it explained in its research:
It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.
WM_email2_BLURRED.jpg.wm_.jpg
A view of the email body with the embedded button's link location revealed. (Source: Cofense) As shown in the image above, the "Review" button didn't actually lead users to a review of their pending Skype notifications. Instead, it used an app link to redirect them to a phishing page located at hxxps://skype-online0345[.]web[.]app. The decision to use .app for the page's top-level domain gave the attack an even greater sense of legitimacy, as .app domains require the use of HTTPS to establish a connection. To further increase their attack's credibility, the phishing site displayed the company logo of the target within the login box along with a warning that the page was open to the company's employees only.
WM_phish-1.png.wm_.jpg
A view of the phishing page. (Source: Cofense) All of those tactics had one purpose: lull the user into a false sense of security so that they would provide their password. In the event they complied, the page sent their credentials over to the attackers. This campaign highlights the need for organizations to defend themselves and their employees against phishing attacks. One of the ways they can do this is by educating their employees about some of the most common types of phishing attacks that are in circulation today.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!