Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials.
“The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message,” Area 1 Security researchers noted.
In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy (execs and upper management).
Every and any pretense is good for a phishing email, but when targeting businesses, the lure can be very effective if it can pass as an email sent from inside the organization. So the attackers attempted to make it look like the email was coming from the company’s “security services”, though some initial mistakes on their part would reveal to careful targets that the email was sent from an outside email account (a Gmail address).
“On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions,” the researchers explained.
The phishing site
Following the link in the email takes victims to the phishing site, initially hosted on a compromised, outdated WordPress site.
The link is “personalized” with the target’s email address, so the HTML form on the malicious webpage auto-populates the username field with the correct email address (found in the URL’s “email” parameter). Despite the “generic” look of the phishing page, this capability can convince some users to log in.
Once the password is submitted, a script sends the credentials to the phishers and the victim is shown an error page.
As always, users/employees are advised not to click on links in unsolicited emails and to avoid entering their credentials into unfamiliar login pages.
With fewer than 100 days left until Election Day, a new report from Area 1 Security reveals that states are still in widely varying stages of cybersecurity readiness.
Key findings include:
- The majority (53.24 percent) of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing
- Fewer than 3 out of 10 (28.14 percent) election administrators have basic controls to prevent phishing
- Fewer than 2 out of 10 (18.61 percent) election administrators have implemented advanced anti-phishing cybersecurity controls
- A surprising 5.42 percent of election administrators rely on personal email accounts or technologies designed for personal email (such as Yahoo!, Hotmail, AOL or others), to conduct their duties
- A number of election administrators independently manage their own custom email infrastructure, including using versions of Exim known to be targeted by cyber actors linked to the Russian military that interfered in prior U.S. elections.
Ninety-five percent of cybersecurity damages worldwide begin with phishing, and phishing campaigns come in all shapes and sizes. The majority of phishing campaigns begin with an innocuous and authentic email that individuals are unable to recognize as malicious. Consequently, the quality of email protection used by organizations and individuals has an inordinate bearing on their overall cybersecurity posture.
“Our elections are vital. They need to be resilient against whatever crisis the moment throws at us — and that requires resources and planning,” said Oren J. Falkowitz, co-founder of Area 1 Security. “However, most state and local election administrators are not very close to ensuring a safe election. This challenge is going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes.”
Security recommendations for state and local election administrators
Ending use of Exim email servers: Given the government’s guidance to update Exim to mitigate CVE-2019-10149 and other vulnerabilities including, but not limited to, CVE-2019-15846 and CVE-2019-16928, election administrators are urged to cease use of Exim. Upgrading alone does not mitigate exploitation. Prior Russian cyber activities directed towards U.S. elections make use of Exim ill-advised. For those who must continue running Exim, update to the latest version; running a version prior to 4.93 leaves a system vulnerable to disclosed vulnerabilities. Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version.
Transitioning to cloud email infrastructure: Running custom email infrastructure requires network administrators to be perfect every single day. Instead, Area 1 Security recommends the use of cloud email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.
Ending use of personal email technologies for election duties: Under no circumstances should election administrators use personal email for the conduct or administration of elections.