A new phishing tactic which targets Verizon customers to steal user credentials, passwords and personal details has been detected.
According to research by Armorblox, the email resembles a secure message from Verizon Support and is titled “Your attention is urgently required”. When the recipient clicked the link, they were led to a Verizon lookalike website (through a redirection) which asked them to part with their email, Verizon account password, email account password and phone number.
Speaking to Infosecurity, Arjun Sambamoorthy, co-founder and head of engineering at Armorblox, said by collecting the target’s credentials, the attackers are phishing for personal details, and allowing more emails to be sent from the victim’s domain which would appear to be legitimate. He also said successful access to the victim’s account would also allow access to details of any other users of the Verizon service.
Sambamoorthy also said the emails got through as they didn’t follow the traits of more traditional phishing attacks. In one case it used a Wicca follower page named “Black Sun Coven” as the parent domain. Sambamoorthy explained that domain was registered in August 2019 and used for the phishing attack 11 month later.
“Assuming the website being discussed here is legitimate, the attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host phishing pages on the legitimate parent domain without the website admins knowing about it,” he said.
Sambamoorthy said “a handful of users” had been impacted, and the attack was still under investigation, while he had seen similar tactics used for other services.
“We have seen variants of this attack,” he said. “Attackers do this to hijack the trust associated with these brands, induce urgency in their victims (e.g. Your Amazon delivery address is incorrect, There's a billing failure on your Netflix account), and in some cases to circumvent any company SSO rules that might be in place.”
As for the use of the Wicca follower page, Sambamoorthy said it was increasingly seeing attackers host phishing pages on dummy sites or on orphaned pages of legitimate websites. “They're able to do this by exploiting vulnerabilities in the web servers or CMS without website admins knowing about it. Based on our initial research, Black Sun Coven was most likely a dummy site the attackers created. The site didn't have any contact information and online searches for "Black Sun Coven" yielded unrelated results to the site in question.”