Cybersecurity researchers recently discovered an incredibly simple phishing campaign that appears to be performing exceptionally well.
In a blog post, Cofense experts described a newly discovered phishing campaign in which threat actors pose as a car insurer. The content of the emails is short and sweet and does not spread anything particularly malicious. In many cases it even contained a Google Ad link, which is likely why it managed to bypass secure email gateways (SEG) and get into people’s inboxes.
The email tells victims that they are eligible for up to 10% of the last value of their car each year. Furthermore, if they have owned the car for several years, they are also entitled to all previous payouts. Given the current economic situation in the world, the promise of money is as interesting as ever, the researchers said.
Hijacking a legitimate website
For more information, victims are offered a link to the blawx(.)com website. This site was legitimate in the past, but was most likely recently compromised and repurposed for this campaign. This site claims to provide downloadable “instructions” on how to claim the money, but the downloaded file is just a JavaScript that later deploys the NetSupport Remote Access Trojan (RAT) to the device.
NetSupport Manager, from which the RAT is built, is a true application designed for remote access and has been used by technical support engineers for more than 20 years. In the meantime, it was hijacked and exploited by hackers who use it to gain unauthorized access to target endpoints.
We don’t know how many people were targeted, or how many people fell for the ruse, but Cofense did describe the campaign as “relatively small.”