GDPR Compliance Used as Phishing LureCampaign Designed to Steal Credentials
A recently uncovered phishing campaign used the European Union's General Data Protection Regulation as a lure to steal login credentials. The campaign enticed victims with subject lines indicating their email security system was not in compliance with the law, according to Area 1 Security.
Fraudsters were attempting to take advantage of uncertainties and misconceptions surrounding GDPR, using the fear factor about law violations, which can carry significant penalties, says Juliette Cash, a principal threat researcher with Area 1.
"The GDPR was implemented on May 25, 2018. However, there was a grace period for companies to slowly begin to adopt the new data regulation changes into their companies,” she says. “Additionally, uncertainty about these regulations, especially for companies not located in Europe, is what we suspect to be the primary motivator for the attacker choosing this lure."
Area 1 Security researchers detected this phishing campaign, which lasted only two days, on Aug. 31. The hackers targeted companies in Europe and elsewhere, focusing on sales staff and other executives, Cash says. Because of the brief duration of the campaign, she says, it was difficult to assess how successful it was.
As with most well-crafted phishing emails, the threat actors used formatting and graphics to make their malicious messages look legitimate. They also created the impression the email originated from a legitimate source, according to the report.
The messages contained a timeline for supposed GDPR compliance that was regularly updated by the attackers to increase the pressure on the recipient, Area 1 Security says. The messages were sent to "public-facing" email addresses or directly to the firm's executives - particularly those who had access to client data and were responsible for GDPR compliance, according to the report.
To remain anonymous, the fraudsters used a virtual private server IP address belonging to ReadyIDC, which made it difficult to pinpoint the hackers' physical location, researchers say.
The fraudsters, however, left an obvious clue that the email address was not legitimate. The "mail from" envelope revealed that attackers sent their messages through Gmail accounts, which would not be used by a government agency attempting to enforce GDPR. This was corrected in later emails when the threat actors spoofed the visible "from" address as well as "mail from" domain of victim companies, researchers note.
"The attackers employed techniques, such as hosting their credential harvester on a legitimate site, and inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the targeted company’s domain. These tactics make detecting phish like this all the more difficult, enabling attackers to easily bypass legacy email security solutions and cloud email providers," Cash says.
Other Phishing Campaigns
Other phishing campaigns have been in the news this month.
This week, police in Australia broke up an SMS phishing scheme designed to collect personal details and bank login credentials (see: Police Crack SMS Phishing Operation)
Earlier this month, security firm Cofense uncovered a phishing campaign designed to harvest credentials that used companies' official webpages as an overlay to hide malicious domains designed to harvest corporate credentials (see: Phishing Campaign Uses Homepage Overlay to Trick Victims).