Updated August 15, 2023 7:00AM EST
Our SOC team recently identified several new phishing campaigns that are affecting global businesses.
Details of the campaigns are as follows:
Global Phishing #1
- Sender: uksankis@mlcorp.com.ni
- Targeted
Industry: Automotive, Technology, Healthcare, Education
- Subject:
Accounts Payable Report as at <Day of the Week, and Date>
- Analysis:
- The
sender uses the name of a C-Level executive within the company to appear
more legitimate.
- The
sender asks for an Aging Report that includes customer contact
information.
- We've
identified these emails as impersonation emails.
- The
sender's domain is hosted in Nicaragua appears to be hosting a wholesale
retail market that focuses on imports, exports, and real estate
investments.
- We
are unaware if this domain has experienced a compromise.
Global Phishing #2
- Sender: gregory.granados@utsa.edu
- Subject:
You have new held messages
- Targeted
Industry: Religious, Automotive, Charities, Education, Agriculture,
Technology
- Analysis:
- The
sender uses the display name: Notification@<Company
Domain>.<extension>
- The
sender attempts to impersonate a Microsoft notification.
- Email
content is asking the recipient to review X number of incoming messages.
- There
is a blue button within the email content that asks the sender to review
the messages.
- Malicious
embedded links in email content.
- The
domain, utsa.edu hosts the University of Texas at
San Antonio
- We
notified this institution regarding the potentially compromised email.
- We
did not receive confirmation on the compromise and are unable to comment
any further.
Global Phishing #3
- Sender: lc@crandallonstjohn.com
- Subject:
Payment Scheduled Notification
- Targeted
Industry: Automotive
- Analysis:
- The
sender uses the display name: DoNotReplyACHSecurePaymentPortal@billtrust.com
- The
sender attaches an HTM file named: #20374008 .htm
- The
file has the ability to redirect the end user to a malicious
webpage.
- The
domain, crandallonstjohn.com hosts an Island Vacation website
that targets the Virgin Islands.
- We
are unaware if this domain has experienced a compromise.
Global Phishing #4
- Sender: diaf.2789@apside-groupe.com
- Subject:
<Username of Recipient>, Your organization (<Company Name>)
has shared a secure document with you "<Company Name>_Updated
& Revised Contracts" - Download enclosed to review & sign
- Targeted
Industry: Education, Technology, Religious, Automotive
- Analysis:
- The
sender uses the display name: notifications@<Company Domain>.com
- The
sender attempts to impersonate a company email address to appear more
legitimate.
- The
sender attaches an HTM file named: Updated & Revised Contracts_Weds
Aug 9.htm - 2.7 KB
- The
file has the ability to redirect the end user to a malicious
webpage.
- The
domain, apside-groupe.com redirects to apside.com.
- The
domain, apside.com appears to be hosting a French
IT Company.
- We
are unaware if apside-groupe.com is affiliated with apside.com.
- We
are unaware if this domain has experienced a compromise.
Global Phishing #5
- Sender: postmaster@zestkurashiki.com
- Subject:
vm197219721972 For <Recipient's Email Address> On, <Date and
Time>
- Targeted
Industry: Automotive
- Analysis:
- The
sender uses the display name: <Company Name>@<Company
Domain>.com
- The
sender attempts to impersonate a company email address to appear more
legitimate.
- The
sender attaches an HTM file named: Play_vm663666366636_wav.htm - 2.7 KB
- The
sender attempts to obfuscate the file as a WAV file.
- The
file has the ability to redirect the end user to a malicious
webpage.
- The
domain, zestkurashiki.com is hosting a Japanese real
estate agency that focuses on the open house market.
- We
are unaware if this domain has experienced a compromise.
Global Phishing #6
- Sender: ingrid@mygym.jp
- Subject:
**Final Statement Invoices** PAID Invoices S17792 & W22139 -
Remittance Advise K2587 ZX250 & K2572 ZX135
- Targeted
Industry: Construction, Automotive, Education
- Analysis:
- The
sender uses the display name: Remits@<Company Domain>.com
- The
sender attempts to impersonate a company email address to appear more
legitimate.
- The
sender attaches an HTM file named: ACH_Remittance.htm - 7.4 KB
- The
file has the ability to redirect the end user to a malicious webpage.
- The
domain, mygym.jp appears to host a Japanese
children's fitness center.
- We
are unaware if this domain has experienced a compromise.
Global Phishing #7
- Sender: noreply@amreenit.com
- Subject: Pay Application #3
[ FW: Re: Payment receipt -#AP4194] <Date and Time>
- Targeted Industry: Construction
and Automobile
- Analysis:
- The sender uses the display
name: ACH.Department@<Company Name>.com
- The sender attempts to
impersonate a company email address to appear more legitimate.
- The sender attaches an
HTM file named: Credit-ACH39145110885380-copy(1).html - 4.6 KB
- The file can redirect
the user to a malicious webpage.
- The
domain, amreenit.com appears to be hosting an IT Service and
Consulting webpage.
- We are unaware of any
compromise associated with this domain.
Global Phishing #8
- Sender: ub-itagawa@cjs.ne.jp
- Subject: Automated: Incoming Wire
Transfer
- Targeted Industry: Technology,
Education, Healthcare, Agriculture, and Automobile
- Analysis:
- The sender uses the
display name: Wire.Room@wellsfargo.com
- The sender attempts to
impersonate a financial institution (Wells Fargo Bank).
- The sender attaches an
HTM file named: CustomerRef#3389XXX.htm - 38.7 KB
- The file can redirect
the user to a malicious webpage.
- The
domain, cjs.ne.jp appears to be hosting a Japanese apartment
listing webpage.
- We are unaware of any
compromise associated with this domain.
Global Phishing #9
- Sender: mehr-talousuu@cjs.ne.jp
- Subject: Automated: Incoming Wire
Transfer
- Targeted Industry: Education,
Automobile, Energy and Agriculture
- Analysis:
- The sender uses the
display name: Wire.Room@wellsfargo.com
- The sender attempts to
impersonate a financial institution (Wells Fargo Bank)
- The sender attaches an
HTM file named: CustomerRef#3389XXX.htm - 38.7 KB
- The file can redirect
the user to a malicious webpage.
- The
domain, cjs.ne.jp appears to be hosting a Japanese apartment
listing webpage.
- We are unaware of any
compromise associated with this domain.
Global Phishing #10
- Sender: esaka@cjs.ne.jp
- Subject: Hi, you have 1 VM on
<Insert Date>. Refer below to listen.
- Targeted Industry: Education,
Healthcare, Automobile, and Energy
- Analysis:
- The sender uses the
display name: <Company Domain Name> Fax-Call Notification /O=EXT#EXCHANGE=<Recipient's
Email Address>=RECIPIENTS/=
- It appears that the
sender was unable to get the display name formatting correct.
- The sender attaches an
HTM file named: +1816652902-0801-94135.htm - 40.6 KB
- The file can redirect
the user to a malicious webpage.
- The file name appears to
be a phone number. However, after researching we've found that this is
not a legitimate phone number.
- There is no content
within the email.
- The
domain, cjs.ne.jp appears to be hosting a Japanese apartment
listing webpage.
- We are unaware of any
compromise associated with this domain.
Global Phishing #11
- Sender: kobe-motomachi@cjs.ne.jp
- Subject: New V-Message from (816)
652-9*** on <Insert Date and Time>. Refer below to listen
- Targeted Industry: Healthcare,
Education, and Automobile
- Analysis:
- The sender uses the
display name: <Company Domain Name> Phone Call Notification
/O=EXT#EXCHANGE=<Recipient's Email Address>=RECIPIENTS/=
- It appears that the
sender was unable to get the display name formatting correct.
- The sender attaches an
HTM file named: +1816652902-0801-94135.htm - 40.6 KB
- The file can redirect
the user to a malicious webpage.
- The file name appears to
be a phone number. However, after researching we've found that this is
not a legitimate phone number.
- There is no content
within the email.
- The
domain, cjs.ne.jp appears to be hosting a Japanese apartment
listing webpage.
- We are unaware of any
compromise associated with this domain.
Global Phishing #12
- Sender: support@beyoung.in
- Subject: VM for <Recipient's
Username> @ <Company Name> from a caller at 15829901114 left you
a message 19 second(s) long
- Targeted Industry:
Automobile
- Analysis:
- The sender uses the
display name: +18008291040@voice2mail.us
- The sender attempts to
obfuscate their email address with the IRS's 1-800 number to appear more
legitimate.
- The sender attaches an
HTM file named: IRS-SECURED-DOC.HTM - 782 Bytes
- The file can redirect
the user to a malicious webpage.
- Email content appear to
be consistent with all the instances that we have seen. Email content
states:
- Notice
from IRS.GOV
- Message received on
<Date and Time>
- Message Transcript
"Your IRS Letter"
- The
domain, beyoung.in appears to be hosting an apparel
website.
- We are unaware of any
compromise associated with this domain.
Global Phishing #13
- Sender: hayashi@nts-web.biz
- Subject: VM for <Recipient's
Username> @ <Company Name> from a caller at 15829901114 left you
a message 19 second(s) long
- Targeted Industry: Automobile,
Technology, Construction, Education, and Healthcare
- Analysis:
- The sender uses the
display name: +18008291040@voice2mail.us
- The sender attempts to
obfuscate their email address with the IRS's 1-800 number to appear more
legitimate.
- The sender attaches an
HTM file named: IRS-SECURED-DOC.HTM - 782 Bytes
- The file can redirect
the user to a malicious webpage.
- Email content appear to
be consistent with all the instances that we have seen. Email content
states:
- Notice
from IRS.GOV
- Message received on
<Date and Time>
- Message Transcript
"Your IRS Letter"
- The
domain, nts-web.biz appears to be hosting a Japanese webpage
for chemical compounds.
- We are unaware of any
compromise associated with this domain.
Global Phishing #14
- Sender: frontdesk@brisklearning.com
- Subject: Scanned: 2 pages -
<Insert Company Name> Reference Number#456782 On <Insert Date and
Time>
- Targeted Industry: Charities,
Education, Construction, and Religious
- Analysis:
- The sender uses the
display name: Scanner@<Company Domain Name>.com
- The sender attempts to
impersonate a company email address to appear more legitimate.
- The sender attempts to
impersonate a scan / fax notification.
- The sender attaches an
HTM file named: SecuredScanner.htm - 13.7 KB
- The file can redirect
the user to a malicious webpage.
- The
domain, brisklearning.com appears to be hosting an Education
based webpage that focuses on the creation of exam papers and other
learning activities.
- We are unaware of any
compromise associated with this domain.
Global Phishing #15
- Sender: cesar.pedrollo@orgafarma.com.br
- Subject: Notice: <Recipient's
Email Address> On <Insert Day of the Week, Date, and Time>
- Targeted Industry: Education,
Construction, Automobile, Religious, and Technology
- Analysis:
- The sender uses the
display name: IT@<Company Domain Name>.com
- The sender attempts to
impersonate a company email address to appear more legitimate.
- The sender uses an image
to make the email content appear as if the notification came from
DocuSign.
- Fake DocuSign
notification; malicious embedded links in email content.
- The sender's
domain, orgafarma.com.br appears to be hosted in Brazil and
redirects to a different URL named: grupoorgafarma.com.br/portal/.
- The redirected webpage
appears to be hosting an online Pharmacy.
- We are unaware if the
domain being used is associated with the company the domain redirects
to.
- We are unaware of any
compromise associated with these webpages or domains.
Global Phishing #16
- Sender: tamaki3<Recipient's
Username>@toua-u.ac.jp
- Subject: This is confirmation for
the ACH payment sent today Processed on <Insert Date and Time>
- Targeted Industry: Construction
and Automobile
- Analysis:
- The sender uses the
display name: <Recipient's Email Address>
- The sender attempts to
spoof and/or obfuscate their email address to appear more legitimate and
to evade detection.
- The sender's email
address changes based on the recipient's username.
- The sender attaches an
HTM file named: Auto ACH Confirmation-6723604.htm - 2.7 KB
- The file can redirect
the user to a malicious webpage.
- The
domain, toua-u.ac.jp appears to be hosting a Japanese
university named, Dong-A University.
- We are unaware of any
compromise associated with these webpages or domains.
Global Phishing #17
- Sender: pon.palani@righttalents.net
- Subject: Reminder: Action needed
for <Company Name>
- Targeted Industry: Healthcare and
Automobile
- Analysis:
- The sender uses the
display name: Password Notification@<Company Domain Name>.com
- The sender attempts to
obfuscate their email address to make the email appear as if it's coming
from inside the company.
- The sender uses urgency
by stating that the recipient's password is expiring today.
- Fake Microsoft 365
notification asking the user to verify their current email password with
a button that says, "Keep My Password".
- Malicious embedded links
in email content.
- The
domain, righttalents.net appears to be an IT Recruiting
company.
- We are unaware of any
compromise associated with this domain.
Global Phishing #18
- Sender: ben@integrityenergysolutions.co.uk
- Subject: Action Required: Payment
Notification on <Insert Date>. View Attached
- Targeted Industry: Healthcare
- Analysis:
- The sender uses the
display name: Accounts Payables Invoice entry AR@<Company Domain Name>.com
- The sender attempts to
impersonate a company email address to appear as if the email was sent
from within the company.
- The sender attaches an
HTM file named: Statement.htm - 2.3 KB
- Email content shows a
disclaimer from Opal, which is a company based out of Australia and New
Zealand.
- The
domain, integrityenergysolutions.co.uk appears to be hosting a
webpage based around electrical contracting and installation.
- We are unaware of any
compromise associated with this domain.
Global Phishing #19
- Sender: pod@greatcentralinc.com
- Subject: File shared with you:
"Account Statments"
- Targeted Industry: Technology,
Healthcare, and Automobile
- Analysis:
- The sender uses the display
name: Donotreply@<Company
Name>SharedFileNotificationSupportfiledelivery.pdf
- The sender attaches an
HTM file named: DOC947-1042396.html - 4.2 KB
- The sender attaches an
image within the email content to make the email appear more
legitimate.
- The image appears to
state that the email is from Microsoft Teams TimeSheets.
- The image content asks
the user to open the email attachment to review their timesheet to ensure
its accuracy.
- The sender is baiting
the recipient to open the email attachment.
- The domain, greatcentralinc.com appears
to be hosting a Southern Californian Transportation webpage.
- We are unaware of any
compromise associated with this domain.
Global Phishing #20
- Sender: info@revivecolorado.net
- Subject: Payment Scheduled
Notification
- Targeted Industry: Automobile
- Analysis:
- The sender uses the
display name: ACHDoNotReplyACHSecurePaymentPortal@billtrust.com
- The sender is attempting
to obfuscate their email address to appear more legitimate.
- The sender attaches an
HTM file named: Scanner0000276 .htm - 12.8 KB
- The file can redirect
the user to a malicious webpage.
- The
domain, revivecolorado.net appears to be hosting a webpage
associated with Ketamine therapy.
- We are unaware of any
compromise associated with this domain.
Special Notes:
Global Phishing Events #8, #9, #10, and #11 appear to be using the same domain to send these malicious phishing emails. Because of the persistent nature of these four senders, we are adding the sender's domain to the block list as we are unaware of any additional accounts being compromised.
Global Phishing Events #12 and #13 appear to be using the
same template and same attachment name for the phishing emails we identified.
These two global phishing events are very similar, but the sender appears to be
using two different email addresses to evade security measures. We recommend
advising your team members to be on the lookout for the described indicators
and to mark emails that match the criteria as junk.
Global Phishing Event #16 targets multiple users within the company and changes the second level domain based on the recipient's username. Because of the persistent nature and the ever changing second level domain field, we are adding the sender's domain to the block list.
Remediation: Delete this email and block the sender's email address if you see it pop up in your inbox.
Want to learn more about the SOC team? Please reach out to your Account Manager or send an email to support@vectorchoice.com for more information.
Warm regards,
Beau Dickie
Chief Security Officer
Vector Choice Technologies