Abnormal Security in May reported on two industry-related phishing schemes in its Abnormal Attack Stories.
The first was a report May 8 said attackers impersonated a notification from DocuSign to steal credentials from employees. It stated that the attacker copied the content used by real DocuSign emails, claiming that there is a document sent to the user for review from “CU #COVID19 Electronic Documents,” with no further details of what the document is. It hit 15,000 to 50,000 mailboxes.
It noted that Abnormal Security has seen a large increase in COVID-19 related attack campaigns. It stated that these attacks are similar to those previously seen, but with coronavirus-related vocabulary.
“The attack impersonated DocuSign and included official images used by the company,” the report stated. “The email had many embedded links in the email, some of which led to authentic DocuSign webpages. If not careful, one could believe the email was safe because many aspects of the email looked authentic. However, as we saw, the email contained a malicious URL that hosted a DocuSign phishing credentials webpage.”
On May 18, it reported that the Navy Federal Credit Union was victim of a phishing attack affecting more than 70,000 mailboxes. The attackers sent an email claiming to be from U.S. Navy Federal Credit Union, stating that the user received $1,100 due to the COVID-19 pandemic. It states that if the user has not received their funds, they must validate their account information with the provided link.
Abnormal Security noted: “Given the current pandemic, some individuals would have been still waiting to receive their stimulus check from the government. In the case that the user has not yet received their relief funds, they may be more inclined to believe this email.”
“The attacker sent themselves the email (as seen in the to-field of the email attack), while the victim’s email address was placed in the BCC field,” the report stated. “The email body itself is vague and contains no personalization. This is a common tactic used by attacks to mass send this campaign, in order to hide who else was affected by this attack, as well as expand their net of targets.”