Phishers Impersonate Proofpoint to Steal O365, Google Passwords


From Threatpost:

Phishers are impersonating Proofpoint, the cybersecurity firm, in an attempt to make off with victims’ Microsoft Office 365 and Google email credentials.

According to researchers at Armorblox, they spotted one such campaign lobbed at an unnamed global communications company, with nearly a thousand employees targeted just within that one organization.

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

The email lure was a file purportedly linked to mortgage payments. The subject line, “Re: Payoff Request,” was geared to fool targets into thinking it was part of ongoing correspondence, which adds an air of legitimacy while also lending urgency to the proceedings.

“Adding ‘Re’ to the email title is a tactic we have observed scammers using before – this signifies an ongoing conversation and might make victims click the email faster,” according to the analysis.

If users clicked on the “secure” email link embedded in the message, they were taken to the splash page with Proofpoint branding and the login spoofs.

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Attacks like these use social engineering, brand impersonation and the use of legitimate infrastructure to bypass traditional email security filters and users’ eye tests. To protect against such campaigns, Armorblox offered the following advice:

  1. Be aware of social engineering: Users should subject email to an eye test that includes inspecting the sender name, sender email address, language within the email and any logical inconsistencies within the email (e.g. Why is the email coming from a .fr domain? Why is a mortgage-related notification coming to my work email?).
  2. Shore up password hygiene: Deploy multi-factor authentication (MFA) on all possible business and personal accounts, don’t use the same password on multiple sites/accounts and avoid using passwords that tie into publicly available information (date of birth, anniversary date, etc.).

Read the full article.


About Author

Comments are closed.