In this attack, attackers are impersonating a major financial institution claiming to have received the recipient’s stimulus check, but needing the recipient to verify their account to release the funds. The attackers have created a full landing page to attempt to steal the recipient’s banking credentials. The campaign targets more than 50,000 users via Office 365, sending concealed malicious links that redirect to impersonated web pages of financial institutions, where login credentials would be demanded and sent to attackers.
As COVID-19 has induced an economic uncertainty, similar campaigns have been observed in different geographic locations, using the click-bait of COVID-19 relief funds. As the emails claim that this financial institution has placed the funds on hold until the user can sign in and “verify account ownership”, in such testing times people are more likely to login without confirmation. The URL is masked with a link, and the real URL takes victims to a site hosted at “https://theruncoach.icu/home.php”, controlled by attackers to steal the login credentials of victim’s bank account.
While this attack involved impersonation of one financial institution, similar attacks are underway that invoke an urgency, leaving the victims unable to scrutinize the email. The email even contained real links to the financial institution’s privacy statement, in addition to the fake landing page which would steal their credentials. The landing page was similarly elaborate, appearing almost exactly like the true bank landing page.
Similar phishing campaigns were seen targeting customers of many Pakistani banks last year by threatening an account block, so the tactic is not new. However, in times of financial instability, users may actually fall victim to such an attack.