SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries

[harlan4096]

Users are lured with a fake document sent via email. How this new phishing campaign works and how to stay safe.

People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.

How the New Nordics Credential Stealing Campaign Works

As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.

This is how a typical email looks like:

Fra: [sender email address] Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj

Hei

Finn vedlagte dokument

Vis Dokument (https://amagauto-my.sharepoint.com/perso...cdca%2F%29)

Med vennlig hilsen

[Name

Phone, Email, Company name etc.]

Translated into English, this email would be this:

From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High

Hi

Find the attached document

View Document (https://amagauto-my.sharepoint.com/perso...iew&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)

With best regards

[Name

Phone, Email, Company name etc.]

What happened next, if the user clicked that link?

They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.

The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.
...

Continue Reading