A new phishing attack has been identified where cybercriminals are sharing a fake GDPR compliance reminder in a bid to try and fool those receiving the email into sharing their email log in details.
The phishing campaign, discovered by Area 1 Security researchers involves hackers sending the warning to a list of company email that they have been able to previously get hold of.
A spokesperson for Area One said: “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.”
They continued: “On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions.”
If someone was to click on the URL provided in the email they would be taken to a phishing site. Here their log data would be captured and the hackers would have access to their company email address and could use the same to spread the campaign internally and commit even more fraud. The phishing URL is hosted on a compromised, outdated WordPress site.
Another feature of the attack is that the link in question is ‘personalized’ as the email address of the recipient (target) is auto-populated in a HTML form on the malicious webpage. Also auto-populated are the the username field with the correct email address (found in the URL’s “email” parameter). This move alone can make the recipients of the email think that the website they are viewing is authentic and lead to them handing over their log in details.
Should a recipient believe the email and provided their password and log in details, a script sends the log in credentials to the phishers. All that the target who provided the information will see is an error page.
It is very important that you inform you staff about this threat as soon as possible. No one should visit the URL links included in the unsolicited emails. Never, ever, should anyone provided log in credentials into unfamiliar login pages. If they are in any doubt they should either contact their own IT staff to check the validity of the the contact or contact the email issuer by telephone or some other offline means of communication.