Fraud Management & Cybercrime , General Data Protection Regulation (GDPR) , Social Engineering

GDPR Compliance Used as Phishing Lure

Campaign Designed to Steal Credentials
GDPR Compliance Used as Phishing Lure
An example of a phishing email using GDPR compliance as a lure (Source: Area 1 Security)

A recently uncovered phishing campaign used the European Union's General Data Protection Regulation as a lure to steal login credentials. The campaign enticed victims with subject lines indicating their email security system was not in compliance with the law, according to Area 1 Security.

See Also: Classification By Design: The Foundation Of Effective Data Protection Compliance

Fraudsters were attempting to take advantage of uncertainties and misconceptions surrounding GDPR, using the fear factor about law violations, which can carry significant penalties, says Juliette Cash, a principal threat researcher with Area 1.

"The GDPR was implemented on May 25, 2018. However, there was a grace period for companies to slowly begin to adopt the new data regulation changes into their companies,” she says. “Additionally, uncertainty about these regulations, especially for companies not located in Europe, is what we suspect to be the primary motivator for the attacker choosing this lure."

Area 1 Security researchers detected this phishing campaign, which lasted only two days, on Aug. 31. The hackers targeted companies in Europe and elsewhere, focusing on sales staff and other executives, Cash says. Because of the brief duration of the campaign, she says, it was difficult to assess how successful it was.

Phishing Tactics

As with most well-crafted phishing emails, the threat actors used formatting and graphics to make their malicious messages look legitimate. They also created the impression the email originated from a legitimate source, according to the report.

The messages contained a timeline for supposed GDPR compliance that was regularly updated by the attackers to increase the pressure on the recipient, Area 1 Security says. The messages were sent to "public-facing" email addresses or directly to the firm's executives - particularly those who had access to client data and were responsible for GDPR compliance, according to the report.

To remain anonymous, the fraudsters used a virtual private server IP address belonging to ReadyIDC, which made it difficult to pinpoint the hackers' physical location, researchers say.

The fraudsters, however, left an obvious clue that the email address was not legitimate. The "mail from" envelope revealed that attackers sent their messages through Gmail accounts, which would not be used by a government agency attempting to enforce GDPR. This was corrected in later emails when the threat actors spoofed the visible "from" address as well as "mail from" domain of victim companies, researchers note.

"The attackers employed techniques, such as hosting their credential harvester on a legitimate site, and inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the targeted company’s domain. These tactics make detecting phish like this all the more difficult, enabling attackers to easily bypass legacy email security solutions and cloud email providers," Cash says.

Other Phishing Campaigns

Other phishing campaigns have been in the news this month.

This week, police in Australia broke up an SMS phishing scheme designed to collect personal details and bank login credentials (see: Police Crack SMS Phishing Operation)

Earlier this month, security firm Cofense uncovered a phishing campaign designed to harvest credentials that used companies' official webpages as an overlay to hide malicious domains designed to harvest corporate credentials (see: Phishing Campaign Uses Homepage Overlay to Trick Victims).

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.