This blog was co-written by Rafael Pena.
We recently received customer submissions related to a phishing campaign that was redirecting users to a browser hijacker. It became clear, after analysis, that these cases were related to a technical support scam in which the attacker uses scare tactics—such as displaying fake error messages and phone numbers—to trick the user into thinking they are infected with malware and paying for unnecessary technical support. This has special relevance for both consumer and corporate users since businesses rely heavily on emails. Phishing emails are one major contributor to security breaches.
As shown in the picture below, the user receives an email asking them to click on a box to display a message. When the user clicks the message, they are redirected to a URL prompting for user credentials.
The malicious URL is revealed by hovering over the message box, as shown in the screenshot below. These URLs tend to be available for a short time and are frequently changed in the phishing email.
The user may be redirected to a website like the one displayed below. Users may be tricked into providing their credentials.
This behavior resembles ransomware, since the user is unable to exit the browser as it enters full-screen mode. The user may also hear audio, which has also been observed with some ransomware variants. If you are unable to close the tab or the browser, open the task manager using Ctrl + Alt + Delete, locate the browser, and then terminate the process.
The screenshot below illustrates another example with some slight changes.
All domains involved in this campaign were purchased from Namecheap. The email accounts used to propagate this phishing attack are legitimate accounts that were compromised. Email hashes cannot be provided since they contain customer information.
How does McAfee protect users from technical support scam threats?
The malicious HTML embedded in the email has DAT coverage as “Phish-EmailFraud.icu” and it is included in current DATs. Users can also use a combination of other McAfee products to protect their environment and their employees. Some of the products available are McAfee SiteAdvisor and McAfee Security for Microsoft Exchange.
By using McAfee SiteAdvisor, the user collects the malicious URLs and adds them to the blocked sites list. This prevents other users from mistakenly providing their credentials if they receive the phishing email.
This can be achieved by accessing the Block and Allow List Policy in McAfee ePolicy Orchestrator (McAfee ePO) and adding the URL as illustrated below.
McAfee Endpoint Security 10.5 product guide:
McAfee Security for Microsoft Exchange
McAfee Security for Microsoft Exchange can be used to block the sender’s email address and prevent the phishing email from being sent to additional employees. This variant was taking advantage of a local user account to send the phishing emails. By using McAfee Security for Microsoft Exchange, users can blacklist their email addresses so they are not sent malicious emails.
McAfee Security for Microsoft Exchange 8.6.0 product guide:
What else can you do?
Any suspicious URLs can also be checked on the TrustedSource site. This will help determine if McAfee is aware of the URL and already providing coverage as illustrated below.
The URLs associated with this phishing attack have been classified as high risk in TrustedSource and McAfee SiteAdvisor.
How do I submit a malicious URL to McAfee?
Send an email to firstname.lastname@example.org and they will gladly work with you.
For more information on phishing attacks, please visit the following links: