Special Bulletin: Global Phishing Threats - August 2023

August 08, 2023

Security , Technology News

Updated August 15, 2023 7:00AM EST


Our SOC team recently identified several new phishing campaigns that are affecting global businesses.

Details of the campaigns are as follows:

Global Phishing #1

  • Sender: uksankis@mlcorp.com.ni
  • Targeted Industry: Automotive, Technology, Healthcare, Education
  • Subject: Accounts Payable Report as at <Day of the Week, and Date>
  • Analysis:
    • The sender uses the name of a C-Level executive within the company to appear more legitimate.
    • The sender asks for an Aging Report that includes customer contact information.
    • We've identified these emails as impersonation emails.
    • The sender's domain is hosted in Nicaragua appears to be hosting a wholesale retail market that focuses on imports, exports, and real estate investments.
      • We are unaware if this domain has experienced a compromise.

Global Phishing #2

  • Sender: gregory.granados@utsa.edu
  • Subject: You have new held messages
  • Targeted Industry: Religious, Automotive, Charities, Education, Agriculture, Technology
  • Analysis:
    • The sender uses the display name: Notification@<Company Domain>.<extension>
    • The sender attempts to impersonate a Microsoft notification.
    • Email content is asking the recipient to review X number of incoming messages.
    • There is a blue button within the email content that asks the sender to review the messages.
    • Malicious embedded links in email content.
    • The domain, utsa.edu hosts the University of Texas at San Antonio
      • We notified this institution regarding the potentially compromised email.
      • We did not receive confirmation on the compromise and are unable to comment any further.

Global Phishing #3

  • Sender: lc@crandallonstjohn.com
  • Subject: Payment Scheduled Notification
  • Targeted Industry: Automotive
  • Analysis:
    • The sender uses the display name: DoNotReplyACHSecurePaymentPortal@billtrust.com
    • The sender attaches an HTM file named: #20374008 .htm
    • The file has the ability to redirect the end user to a malicious webpage.
    • The domain, crandallonstjohn.com hosts an Island Vacation website that targets the Virgin Islands.
      • We are unaware if this domain has experienced a compromise.

Global Phishing #4

  • Sender: diaf.2789@apside-groupe.com
  • Subject: <Username of Recipient>, Your organization (<Company Name>) has shared a secure document with you "<Company Name>_Updated & Revised Contracts" - Download enclosed to review & sign
  • Targeted Industry: Education, Technology, Religious, Automotive
  • Analysis:
    • The sender uses the display name: notifications@<Company Domain>.com
    • The sender attempts to impersonate a company email address to appear more legitimate.
    • The sender attaches an HTM file named: Updated & Revised Contracts_Weds Aug 9.htm - 2.7 KB
    • The file has the ability to redirect the end user to a malicious webpage.
    • The domain, apside-groupe.com redirects to apside.com.
    • The domain, apside.com appears to be hosting a French IT Company.
      • We are unaware if apside-groupe.com is affiliated with apside.com.
      • We are unaware if this domain has experienced a compromise.

Global Phishing #5

  • Sender: postmaster@zestkurashiki.com
  • Subject: vm197219721972 For <Recipient's Email Address> On, <Date and Time>
  • Targeted Industry: Automotive
  • Analysis:
    • The sender uses the display name: <Company Name>@<Company Domain>.com
    • The sender attempts to impersonate a company email address to appear more legitimate.
    • The sender attaches an HTM file named: Play_vm663666366636_wav.htm - 2.7 KB
      • The sender attempts to obfuscate the file as a WAV file.
    • The file has the ability to redirect the end user to a malicious webpage.
    • The domain, zestkurashiki.com is hosting a Japanese real estate agency that focuses on the open house market.
      • We are unaware if this domain has experienced a compromise.

Global Phishing #6

  • Sender: ingrid@mygym.jp
  • Subject: **Final Statement Invoices** PAID Invoices S17792 & W22139 - Remittance Advise K2587 ZX250 & K2572 ZX135
  • Targeted Industry: Construction, Automotive, Education
  • Analysis:
    • The sender uses the display name: Remits@<Company Domain>.com
    • The sender attempts to impersonate a company email address to appear more legitimate.
    • The sender attaches an HTM file named: ACH_Remittance.htm - 7.4 KB
    • The file has the ability to redirect the end user to a malicious webpage.
    • The domain, mygym.jp appears to host a Japanese children's fitness center.
      • We are unaware if this domain has experienced a compromise.

Global Phishing #7

  • Sender: noreply@amreenit.com
  • Subject: Pay Application #3 [ FW: Re: Payment receipt -#AP4194] <Date and Time>
  • Targeted Industry: Construction and Automobile
  • Analysis:
    • The sender uses the display name: ACH.Department@<Company Name>.com
    • The sender attempts to impersonate a company email address to appear more legitimate.
    • The sender attaches an HTM file named: Credit-ACH39145110885380-copy(1).html - 4.6 KB
    • The file can redirect the user to a malicious webpage.
    • The domain, amreenit.com appears to be hosting an IT Service and Consulting webpage.
      • We are unaware of any compromise associated with this domain.

Global Phishing #8

  • Sender: ub-itagawa@cjs.ne.jp
  • Subject: Automated: Incoming Wire Transfer
  • Targeted Industry: Technology, Education, Healthcare, Agriculture, and Automobile
  • Analysis:
    • The sender uses the display name: Wire.Room@wellsfargo.com
    • The sender attempts to impersonate a financial institution (Wells Fargo Bank).
    • The sender attaches an HTM file named: CustomerRef#3389XXX.htm - 38.7 KB
    • The file can redirect the user to a malicious webpage.
    • The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.
      • We are unaware of any compromise associated with this domain.

Global Phishing #9

  • Sender: mehr-talousuu@cjs.ne.jp
  • Subject: Automated: Incoming Wire Transfer
  • Targeted Industry: Education, Automobile, Energy and Agriculture
  • Analysis:
    • The sender uses the display name: Wire.Room@wellsfargo.com
    • The sender attempts to impersonate a financial institution (Wells Fargo Bank)
    • The sender attaches an HTM file named: CustomerRef#3389XXX.htm - 38.7 KB
    • The file can redirect the user to a malicious webpage.
    • The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.
      • We are unaware of any compromise associated with this domain.

Global Phishing #10

  • Sender: esaka@cjs.ne.jp
  • Subject: Hi, you have 1 VM on <Insert Date>. Refer below to listen.
  • Targeted Industry: Education, Healthcare, Automobile, and Energy
  • Analysis:
    • The sender uses the display name: <Company Domain Name> Fax-Call Notification /O=EXT#EXCHANGE=<Recipient's Email Address>=RECIPIENTS/=
    • It appears that the sender was unable to get the display name formatting correct.
    • The sender attaches an HTM file named: +1816652902-0801-94135.htm - 40.6 KB
    • The file can redirect the user to a malicious webpage.
    • The file name appears to be a phone number. However, after researching we've found that this is not a legitimate phone number.
    • There is no content within the email.
    • The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.
      • We are unaware of any compromise associated with this domain.

Global Phishing #11

  • Sender: kobe-motomachi@cjs.ne.jp
  • Subject: New V-Message from (816) 652-9*** on <Insert Date and Time>. Refer below to listen
  • Targeted Industry: Healthcare, Education, and Automobile
  • Analysis:
    • The sender uses the display name: <Company Domain Name> Phone Call Notification /O=EXT#EXCHANGE=<Recipient's Email Address>=RECIPIENTS/=
    • It appears that the sender was unable to get the display name formatting correct.
    • The sender attaches an HTM file named: +1816652902-0801-94135.htm - 40.6 KB
    • The file can redirect the user to a malicious webpage.
    • The file name appears to be a phone number. However, after researching we've found that this is not a legitimate phone number.
    • There is no content within the email.
    • The domain, cjs.ne.jp appears to be hosting a Japanese apartment listing webpage.
      • We are unaware of any compromise associated with this domain.

Global Phishing #12

  • Sender: support@beyoung.in
  • Subject: VM for <Recipient's Username> @ <Company Name> from a caller at 15829901114 left you a message 19 second(s) long
  • Targeted Industry: Automobile
  • Analysis:
    • The sender uses the display name: +18008291040@voice2mail.us
    • The sender attempts to obfuscate their email address with the IRS's 1-800 number to appear more legitimate.
    • The sender attaches an HTM file named: IRS-SECURED-DOC.HTM - 782 Bytes
    • The file can redirect the user to a malicious webpage.
    • Email content appear to be consistent with all the instances that we have seen. Email content states:
      • Notice from IRS.GOV
      • Message received on <Date and Time>
      • Message Transcript "Your IRS Letter"
    • The domain, beyoung.in appears to be hosting an apparel website.
      • We are unaware of any compromise associated with this domain.

Global Phishing #13

  • Sender: hayashi@nts-web.biz
  • Subject: VM for <Recipient's Username> @ <Company Name> from a caller at 15829901114 left you a message 19 second(s) long
  • Targeted Industry: Automobile, Technology, Construction, Education, and Healthcare
  • Analysis:
    • The sender uses the display name: +18008291040@voice2mail.us
    • The sender attempts to obfuscate their email address with the IRS's 1-800 number to appear more legitimate.
    • The sender attaches an HTM file named: IRS-SECURED-DOC.HTM - 782 Bytes
    • The file can redirect the user to a malicious webpage.
    • Email content appear to be consistent with all the instances that we have seen. Email content states:
      • Notice from IRS.GOV
      • Message received on <Date and Time>
      • Message Transcript "Your IRS Letter"
    • The domain, nts-web.biz appears to be hosting a Japanese webpage for chemical compounds.
      • We are unaware of any compromise associated with this domain.

Global Phishing #14

  • Sender: frontdesk@brisklearning.com
  • Subject: Scanned: 2 pages - <Insert Company Name> Reference Number#456782 On <Insert Date and Time>
  • Targeted Industry: Charities, Education, Construction, and Religious
  • Analysis:
    • The sender uses the display name: Scanner@<Company Domain Name>.com
    • The sender attempts to impersonate a company email address to appear more legitimate.
    • The sender attempts to impersonate a scan / fax notification.
    • The sender attaches an HTM file named: SecuredScanner.htm - 13.7 KB
    • The file can redirect the user to a malicious webpage.
    • The domain, brisklearning.com appears to be hosting an Education based webpage that focuses on the creation of exam papers and other learning activities.
      • We are unaware of any compromise associated with this domain.

Global Phishing #15

  • Sender: cesar.pedrollo@orgafarma.com.br
  • Subject: Notice: <Recipient's Email Address> On <Insert Day of the Week, Date, and Time>
  • Targeted Industry: Education, Construction, Automobile, Religious, and Technology
  • Analysis:
    • The sender uses the display name: IT@<Company Domain Name>.com
    • The sender attempts to impersonate a company email address to appear more legitimate.
    • The sender uses an image to make the email content appear as if the notification came from DocuSign.
    • Fake DocuSign notification; malicious embedded links in email content.
    • The sender's domain, orgafarma.com.br appears to be hosted in Brazil and redirects to a different URL named: grupoorgafarma.com.br/portal/.
    • The redirected webpage appears to be hosting an online Pharmacy.
      • We are unaware if the domain being used is associated with the company the domain redirects to.
      • We are unaware of any compromise associated with these webpages or domains.

Global Phishing #16

  • Sender: tamaki3<Recipient's Username>@toua-u.ac.jp
  • Subject: This is confirmation for the ACH payment sent today Processed on <Insert Date and Time>
  • Targeted Industry: Construction and Automobile
  • Analysis:
    • The sender uses the display name: <Recipient's Email Address>
    • The sender attempts to spoof and/or obfuscate their email address to appear more legitimate and to evade detection.
    • The sender's email address changes based on the recipient's username.
    • The sender attaches an HTM file named: Auto ACH Confirmation-6723604.htm - 2.7 KB
    • The file can redirect the user to a malicious webpage.
    • The domain, toua-u.ac.jp appears to be hosting a Japanese university named, Dong-A University.
      • We are unaware of any compromise associated with these webpages or domains.

Global Phishing #17

  • Sender: pon.palani@righttalents.net
  • Subject: Reminder: Action needed for <Company Name>
  • Targeted Industry: Healthcare and Automobile
  • Analysis:
    • The sender uses the display name: Password Notification@<Company Domain Name>.com
    • The sender attempts to obfuscate their email address to make the email appear as if it's coming from inside the company.
    • The sender uses urgency by stating that the recipient's password is expiring today.
    • Fake Microsoft 365 notification asking the user to verify their current email password with a button that says, "Keep My Password".
    • Malicious embedded links in email content.
    • The domain, righttalents.net appears to be an IT Recruiting company.
      • We are unaware of any compromise associated with this domain.

Global Phishing #18

  • Sender: ben@integrityenergysolutions.co.uk
  • Subject: Action Required: Payment Notification on <Insert Date>. View Attached
  • Targeted Industry: Healthcare
  • Analysis:
    • The sender uses the display name: Accounts Payables Invoice entry AR@<Company Domain Name>.com
    • The sender attempts to impersonate a company email address to appear as if the email was sent from within the company.
    • The sender attaches an HTM file named: Statement.htm - 2.3 KB
    • Email content shows a disclaimer from Opal, which is a company based out of Australia and New Zealand.
    • The domain, integrityenergysolutions.co.uk appears to be hosting a webpage based around electrical contracting and installation.
      • We are unaware of any compromise associated with this domain.

Global Phishing #19

  • Sender: pod@greatcentralinc.com
  • Subject: File shared with you: "Account Statments"
  • Targeted Industry: Technology, Healthcare, and Automobile
  • Analysis:
    • The sender uses the display name: Donotreply@<Company Name>SharedFileNotificationSupportfiledelivery.pdf
    • The sender attaches an HTM file named: DOC947-1042396.html - 4.2 KB
    • The sender attaches an image within the email content to make the email appear more legitimate.
    • The image appears to state that the email is from Microsoft Teams TimeSheets.
    • The image content asks the user to open the email attachment to review their timesheet to ensure its accuracy.
    • The sender is baiting the recipient to open the email attachment.
    • The domain, greatcentralinc.com appears to be hosting a Southern Californian Transportation webpage.
      • We are unaware of any compromise associated with this domain.

Global Phishing #20

  • Sender: info@revivecolorado.net
  • Subject: Payment Scheduled Notification
  • Targeted Industry: Automobile
  • Analysis:
    • The sender uses the display name: ACHDoNotReplyACHSecurePaymentPortal@billtrust.com
    • The sender is attempting to obfuscate their email address to appear more legitimate.
    • The sender attaches an HTM file named: Scanner0000276 .htm - 12.8 KB
    • The file can redirect the user to a malicious webpage.
    • The domain, revivecolorado.net appears to be hosting a webpage associated with Ketamine therapy.
      • We are unaware of any compromise associated with this domain.

Special Notes:

Global Phishing Events #8, #9, #10, and #11 appear to be using the same domain to send these malicious phishing emails. Because of the persistent nature of these four senders, we are adding the sender's domain to the block list as we are unaware of any additional accounts being compromised.

Global Phishing Events #12 and #13 appear to be using the same template and same attachment name for the phishing emails we identified. These two global phishing events are very similar, but the sender appears to be using two different email addresses to evade security measures. We recommend advising your team members to be on the lookout for the described indicators and to mark emails that match the criteria as junk.

Global Phishing Event #16 targets multiple users within the company and changes the second level domain based on the recipient's username. Because of the persistent nature and the ever changing second level domain field, we are adding the sender's domain to the block list.

Remediation: Delete this email and block the sender's email address if you see it pop up in your inbox.

Want to learn more about the SOC team? Please reach out to your Account Manager or send an email to support@vectorchoice.com for more information.

Warm regards,

Beau Dickie

Chief Security Officer

Vector Choice Technologies