Marking a pivot from COVID-19 scams, researchers track a single threat actor through the evolution from the pandemic to PayPal, and on to more timely voter scams — all with the same infrastructure.
<div class="c-article__content js-reading-content"> <p>The speed with which <a href="https://www.proofpoint.com/us/blog/threat-insight/agile-threat-actors-pivot-covid-19-voter-registration-themes-phishing-lures" target="_blank" rel="noopener noreferrer">phishers are able to adapt</a> to new messaging based on the latest headlines is accelerating, according to the Proofpoint Threat Research Team, which was able to track backend data from a recent voter-registration scam to uncover just how quickly cybercriminals can pivot to capitalize on current events. It turns out, all it takes to launch a potent phishing scam is a new wrapper.</p> <p>“The range of information credential-phishing themes — PayPal, COVID-19, voting — illustrate how actors often simply pivot from one theme to the next, all while using similar (often the same) infrastructure and backend functionality,” Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, told Threatpost. “It’s clear that threat actors are continuing to try and reach as many intended recipients as possible by capitalizing on a popular topic. We’ve seen throughout the global COVID-19 situation that threat actors are able to adjust quickly to timely news and current events.”</p> <p>A recent voter registration <a href="https://threatpost.com/voter-phish-election/159804/" target="_blank" rel="noopener noreferrer">scheme, first discovered</a> by KnowBe4, sent emails out telling voters their registration information was incomplete. The logos in the communications were from the U.S. Election Assistance Commission (EAC), leading them to a fraudulent page asking them for their personal data.</p> <h2><strong>Tracking Phishing Kit Data </strong></h2> <p>By tracking data from phishing kits, which are easy, one-stop packages for phishing, the Proofpoint Threat Research Team found a trail of scams, all connected to the same infrastructure, with little more than a messaging swap differentiating them.</p> <p>“Phishkits can be highly technical or not very sophisticated, but they have been evolving slowly over time to offer more features and capabilities,” DeGrippo said by email. “Phishkits are traded, sold and given away for free in various forums.”</p> <p>Tracking phishing kit data isn’t new, but the Proofpoint team noticed that the same infrastructure was being used to support various scams, making it easy to lure in as many victims as possible.</p> <p>“The major changes observed are in branding only – the actor continues to use similar [user-interface] elements and backend code, evidenced by the POST of user-supplied information to the same email address across multiple information-phishing operations,” according to <a href="https://www.proofpoint.com/us/blog/threat-insight/agile-threat-actors-pivot-covid-19-voter-registration-themes-phishing-lures" target="_blank" rel="noopener noreferrer">Proofpoint’s findings</a>, issued this week.</p> <h2><strong>Evolution of a Phishing Scam</strong></h2> <p>In the voter-registration scam, which blasted out hundreds of typo-ridden phishing emails through SendGrid, the message posed as an official communication and asked recipients to “confirm” their details. One clicked, the link led to what the report said is a “compromised WordPress install,” impersonating the Arizona voter-registration system, ServiceArizona.</p> <div id="attachment_160251" style="width: 310px" class="wp-caption alignright"><img aria-describedby="caption-attachment-160251" loading="lazy" class="size-medium wp-image-160251" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/16172002/proofpoint-service-arizona-spoof-page-300x151.png" alt="" width="300" height="151"><p id="caption-attachment-160251" class="wp-caption-text">Phishing page. Source: Proofpoint</p></div> <p>A search of the phishing kit data led to an email address, obiri409[@]gmail[.]com, which researchers were able to follow to other sites that this fraudster used in scams of the past, including a previous PayPal account-verification phishing lure.</p> <p>From there they tracked the same criminals to a different October voter-registration messaging approach, branding the pages with the EAC logo instead of the Maricopa County government logo, asking for everything from Social Security numbers to tax IDs.</p> <p>“…and though we were unable to capture POST data for this page, the striking similarity in both the look of the page and use of a compromised WordPress install suggests that it is the same threat actor,” the report added.</p> <h2><strong>Phishing Flavors </strong></h2> <p>It’s safe to expect new fraud schemes rapidly coming into circulation related to recent headlines, according to Proofpoint. Already in October, several major campaigns have launched centered on news hooks. The president’s COVID-19 diagnosis, the Democratic National Committee and other recent news lures have also been used as cover for recent fraud schemes, according to Proofpoint.</p> <p>The deadline for Americans to file for <a href="https://threatpost.com/irs-covid-impact-payment-deadlines-phish/159913/" target="_blank" rel="noopener noreferrer">coronavirus relief</a> is approaching and criminals hatched a scheme to get people to serve up their personal information for the promised of a check, for instance. In another case, a recent announcement by Facebook that it was awarding $100 million in grants for small businesses sparked a round of <a href="https://threatpost.com/facebook-small-biz-grants-identity-theft-scam/159681/" target="_blank" rel="noopener noreferrer">attacks, luring users through Telegram</a> and WhatsApp with the promise of easy money.</p> <p>And, unsurprisingly, <a href="https://threatpost.com/amazon-prime-day-spurs-spike-in-phishing-fraud-attacks/159960/" target="_blank" rel="noopener noreferrer">Amazon Prime Day</a> was a field day for fraud, with attempts to dupe unsuspecting bargain hunters.</p> <p>Fads and headlines come and go, which is why smart cybercriminals have learned to quickly adapt to the latest hot topics to keep their attacks fresh and relatively obscured by news traffic spikes. The challenge for the security community is to stay one step ahead of the next rebranding of the same old social-engineering tactics.</p> <p>“The last messages we observed from this actor using voter-registration themes were sent on October 7,” Proofpoint added. “This suggests that the actor may have already shifted to another type of lure.”</p> <p> </p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Phishers Capitalize on Headlines with Breakneck Speed" data-url="https://threatpost.com/phishers-capitalize-headlines-speed/160249/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/most-recent-threatlists/">Most Recent ThreatLists</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>