Rewterz Threat Alert – Phishing Campaign Stealing Company Credentials

Severity

Medium

Analysis Summary

Attackers are utilizing targeted company’s homepage as part of a phishing attack aimed at acquiring credentials. This campaign attempts to imitate the technical support team of the employee’s company and claims that the company’s email security service has quarantined three messages, blocking them from entering the inbox. It then prompts that those messages need to be reviewed in order to confirm validity, as two of these emails are considered valid and are being held for deletion. This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails urgently before deletion. Potential loss of important documents or emails could make the employee more inclined to interact with this email.

Hovering over the “Review Messages Now” shows the malicious URL.

Upon interacting with the link, the user will be directed to a phishing page unique to the employees’ company. It’s a login screen on the company website. However, further analysis has determined that the page shown is actually the company’s website home page with a fake login panel covering it. The overlay attempts to prompt the user to sign in to access the company account. The entered credentials are then sent to the threat actor, giving them access to the target’s company account. 

Impact

• Credential Theft
• Account Compromise

Indicators of Compromise

Domain Name

• traximgarage[.]com

From Email

• google[.]com@ashousingcompany[.]com

URL

• hxxp[:]//google[.]com@ashousingcompany[.]com/www/?email=
• hxxp[:]//traximgarage[.]com/www/webmail-std/appsuite/1ogin/mai1/

Remediation

• Block the threat indicators at their respective controls. 
• If such an email is received, confirm from your technical support team before entering credentials on any page.