Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted. McAfee Customers using VSE, ENS, Livesafe, WebAdvisor and MGW are protected against this phishing campaign.
The attack begins when the victim receives an email informing them that they have missed a phone call, along with a request to login to their account to access their voicemail.
An example of the malicious email is shown below:
The phishing email contains a HTML file as an attachment which, when loaded, will redirect the user to the phishing website. There are slight variations in the attachment, but the most recent ones contain an audio recording of someone talking which will lead the victim to believe they are listening to the beginning of a legitimate voicemail.
The HTML code which plays the recording is shown below:
Once redirected, the victim is shown the phishing page which asks them to log into their account. The email address is prepopulated when the website is loaded; this is another trick to reinforce the victim’s belief that the site is legitimate.
When the password is entered, the user is presented with the following successful login page and redirected to the office.com login page.
We observed the following filenames being used for the attachments:
- 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
- 14-August-2019.html [Format: DD-Month-YYYY.html]
- Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
- Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]
As explained in the introduction, we were surprised to observe three different phishing kits being used to generate the malicious websites. All three look almost identical but we were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script.
Voicemail Scmpage 2019 (Not a typo)
The first kit is being sold on an ICQ channel and the creator advertises it on social media. The kit goes by the name of ‘Voicemail Scmpage 2019’ and operates on a license key basis, where the license key is checked prior to the phishing site being loaded.
A snippet of the generated HTML code is shown below:
A file, data.txt, is created on the compromised website and it contains a list of visitors, including their IP address, web browsers and the date.
The following data is harvested from the victims and emailed to the owner of the phishing site:
- IP Address
- Region (Location)
Office 365 Information Hollar
The second phishing kit we discovered is called ‘Office 365 Information Hollar’. This kit is very similar to ‘Voicemail Scmpage 2019’ and gathers the same data, as shown in the image below:
Third “Unnamed” Kit
The final phishing kit is unbranded, and we could not find any attribution to it. This kit makes use of code from a previous malicious kit targeting Adobe users back in 2017. It is possible that the original author from 2017 has modified this kit, or perhaps more likely the old code has been re-used by a new group.
This kit also harvests the same data as the previous two. The ‘Unnamed Kit’ is the most prevalent malicious page we have observed while tracking these voicemail phishing campaigns.
During our investigation we observed the following industries being targeted with these types of phishing emails:
[Services includes tourism, entertainment, real estate and others which are too small to group]
A wide range of employees were targeted, from middle management to executive level staff. We believe that this is a ‘Phishing’ and ‘Whaling’ campaign.
The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.
What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign.
We urge all our readers to be vigilant when opening emails and to never open attachments from unknown senders. We also strongly advise against using the same password for different services and, if a user believes that his/her password is compromised, it is recommended to change it as soon as possible
It is highly recommended to use Two-Factor Authentication (2FA) since it provides a higher level of assurance than authentication methods based on Single-Factor Authentication (SFA), like the one that many users utilise for their Office 365 accounts.
When possible for enterprise customers, we recommend blocking .html and .htm attachments at the email gateway level so this kind of attack will not reach the final user.
Also, be sure to read our companion blog which details how you can stay safe from such phishing campaigns.
Indicators of Compromise
Email Attachment with the following filename:
10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
14-August-2019.html [Format: DD-Month-YYYY.html]
Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]
HTML/Phishing.g V2 DAT = 9349, V3 DAT = 3800
HTML/Phishing.av V2 DAT = 9371, V3 DAT = 3821
HTML/Phishing.aw V2 DAT = 9371, V3 DAT = 3821
The hashes of the attachments will not be provided as this will provide information on the potential targets
(Domains (all blocked by McAfee WebAdvisor)