Serviceteam IT Security News

Bad actors have launched a phishing campaign that aims to infect supporters of President Donald Trump with a dangerous banking Trojan. 

The malicious campaign was detected by Area 1 Security on August 21. Victims are enticed to open messages that appear to be from legitimate political action committees (PACs) but are in fact fake.

The messages refer to highly publicized political issues and events and feature subject lines prefaced with “Fwd:” and “RE:” Deceived victims who take the bait have their system attacked by Emotet malware. 

“The attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message,” noted researchers. “Every link works and leads to benign web pages of the impersonated PAC.”

The Emotet downloader is contained in a Microsoft Word document attached to the malicious email.

Attackers were observed seeking to leverage media attention on the president’s decision to temporarily withhold funding from the World Health Organization pending the outcome of a formal investigation into the global health agency’s response to the Covid-19 pandemic. 

Researchers said: “Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.”

One email, sent with the subject “Fwd:Breaking: President. Trump suspends funding to WHO,” called for recipients who agreed with the suspension of funding to click a button labeled “Stand with Trump.” The attacker used Display Name Spoofing in an effort to hide the sender’s real address. 

While the sender addresses used to spread the WHO-themed phishing messages varied, all were observed to have come from a legitimate account that had been compromised by the attacker. This tactic allowed the attacker to successfully pass email authentication protocols such as DMARC.

Using hijacked legitimate email addresses would also have made it very difficult for victims to grasp the fact that they were being duped by a cyber-criminal. 

Researchers found that compromised email accounts of several small businesses around the world were used in each wave of the campaign that lured victims with the same stolen PAC email content.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!