Last month, INKY detected two separate credential harvesting operations that abused email marketing platforms (Campaign Monitor and Mailchimp). These phishing emails used COVID-19 narratives to entice recipients to click links that led to credential harvesting forms set up on the abused domains.
Quick Take: Attack Flow Overview
- Type: Phishing
- Vector: Freemail accounts and hijacked senders
- Payload: Credential harvesting form on abused email marketing platforms
- Techniques: Account takeover and credential harvesting
- Platform: Google Workspace and Microsoft 365
- Target: Google Workspace and Microsoft 365 users
The two phishing assaults INKY engineers uncovered were similar in structure but differed in details. One used Campaign Monitor as a staging area. The other used Mailchimp.
In the Campaign Monitor case, the attack started off with a heartstring-pulling pitch, sent from a hijacked email account, saying that the cavalry is at hand, assistance is available, there’s money for “everyone and all employees in the new year” via something called the “COVID-19 Benefits Program.” This program was, of course, nonexistent, but employees under stress from trying to work for more than two years under the threat of COVID-19 might have been ready to believe anyone who offered an end to the storm or at least a silver lining. The fake program was described in the email as making “cash assistance” available.
Campaign Monitor email pitch
If the recipient clicked on the highlighted blue “Individual Assistance Program” link, they were taken to a credential harvesting form hosted on Campaign Monitor’s domain. An alert form-filler might have noticed that the word “Password” was spelled “Pass word,” which was either an attempt to avoid detection or just plain bad grammar.
Credential harvesting form
When an INKY engineer entered fake credentials into the form, they got a fake “Access Denied!” error. Although they were counterfeit, the login credentials were sent to the bad actors behind the scam anyway.
Behind a fake error message, phishers harvested credentials
This phishing email came from an abused hotmail[.]com address and claimed to be from “Chief Human Resources Officer.” The pitch was spoofed to look like it was sent internally from “Human Resources” about “HR: Employee Medical Identification” to “Active Distribution List,” all generic entities. The phrase “COVID-19” appeared no less than seven times in the body, perhaps to create a sense of urgency, an important tool in the phisher’s kit.
Mailchimp email pitch
Recipients were invited to click on a blue highlighted “VACCINATION SURVEY ID” link. If they did, they were taken to a real Mailchimp survey created by a bad actor.
Real survey, evil surveyors
The survey acted as a cleverly disguised credential harvesting form. Toward the bottom, the survey asked the victim to enter “Employee Email,” and the last box appeared below instructions to “Enter your password correctly to ensure successful Identification.” In a subtle touch, the phishers placed the word “identification” and the abbreviation “ID” strategically around both the email and the harvesting form to make it seem natural to the victim that they should enter their credentials.
Again, our engineer entered fake credentials to follow the phishing sequence.
Fake credentials duly entered and harvested
Victims who entered their real email credentials into the form as survey responses had them scooped up by the bad actors. Alert recipients might have noticed phishing tell: the password, when entered, wasn’t concealed.
The “blowoff” in this case was a simple “Thank you for submission.” in a white dialogue box. That reassuring phrase was designed to allay the cognitive dissonance that an employee might feel after entering email credentials onto a supposed survey form.
In the Campaign Monitor case, the phishers abused a feature on the site normally used to confirm a subscription when a survey respondent fills out a custom email signup form (https://www.campaignmonitor.com/features/email-sign-up-forms/).
Any enterprising phisher can use the free form builder to stand up for their own credential harvesting mechanism.
Our engineer went partway down the road to demonstrate just how easy it is to create a realistic-looking boobytrap.
No actual assistance here
In the Mailchimp case, the phishers simply created their own survey, abusing the site’s legitimate tools (https://mailchimp.com/help/create-a-survey/). On the “Create a survey” page, the bad actors were able to make use of the Radio Button feature to concoct a vaccination status selection section and the Open Text feature to set up a box for login credential collection.
Phishers make use of convenient Mailchimp tools
Both Campaign Monitor and Mailchimp are well-known email marketing platforms. As such, their domains are highly reputable and don’t appear in threat intelligence feeds, thus helping phishers evade detection.
Recap of Techniques
- Exploitation of current events — capitalizes on the uncertainty, fear, and urgency related to Covid-19.
- Credential harvesting — occurs when a victim thinks they are logging in to one of their resource sites but are actually entering credentials into a dialogue box owned by the attackers.
- Compromised email accounts — are used by phishers to pass most security software tests, allowing phishing emails to slip past corporate defences and into hapless recipients’ inboxes.
Best Practices: Guidance and Recommendations
If an employee is asked to provide a password to sign up for benefits or confirm information, then it’s a scam. Never type credentials into a form unless it’s a login to the real email system. Call IT if there’s any doubt.
Never supply any personal information, especially passwords, to anyone via a third-party resource.
Do not give out personal, medical, or financial information to anyone claiming to offer money or gifts in exchange for participation in a COVID-19 survey.
Double-check the sender's email address. A real human resources department will not send an email to employees from a freemail account.
Read more of INKY’s past Fresh Phish, and subscribe to receive our news and articles directly to your inbox.
INKY is an award-winning, cloud-based email security solution developed to proactively eliminate phishing emails and malware while simultaneously providing real-time assistance to employees handling suspicious emails so they can make safer decisions. INKY’s patented technology incorporates sophisticated computer vision, machine learning models, social profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links, detect and block security threats, mitigate sender impersonation, and more. Cost-effective and powerful, the INKY platform was developed for mobile-first IT organizations and works seamlessly on any device, operating system, and mail client. Learn more about INKY™ or request an online demonstration today.