An article by Threat Post reveals that a vishing attack, launched with the help of emails in the name of Geek Squad and Norton Antivirus, managed to reach 25k email inboxes. The intention of the attack is said to be to search for the credit card details of the victims.
What is Vishing?
Vishing or Voice Phishing is generally a social engineering technique used by malicious actors to extract sensitive information from victims over the phone. They may also use fraudulent voice messages for this purpose.
What Happened Here?
Fraudsters sent emails containing fake order receipts to victims. These emails containing fake order receipts also included phone numbers which the victim should call to ‘process order returns’. Researchers have pointed out that the emails bypassed email security engines like Exchange Online Protection (EOP). The article mentions that this must mean that Microsoft must have deemed them to be from a safe sender or must have thought of them to be from an email source server on the ‘IP Allow List’.
Case #1: Geek Squad
Geek Squad is an IT support service which is owned by electronics retailer Best Buy. Fraudsters sent emails from a Gmail account that impersonated Geek Squad with the exact look and feel of the original emails.
The emails masqueraded as renewal confirmation for an annual protection service. The language used was carefully chosen to sound professional and not urgent. There were no random links to raise suspicion and the only call to action included in the email was a phone number that would connect the victim to a ‘billing department’.
Case #2: Norton
This vishing campaign was similar to the Geek Squad campaign. It used Gmail accounts to send emails with the subject line saying ‘Order Confirmation’. Again, there were no random links included in this email apart from a phone number to ‘cancel a subscription’.
The only difference between the Geek Squad campaign and the Norton campaign was that the latter used no decoration like HTML stylings or branding images.
However, attackers used an evasive technique to slip past deterministic filters and blocklists by using N0RT0N PR0TECTI0N with ‘0’s (Zeroes) in place of ‘O’s.
However, in both cases, when researchers called the number provided, they found that the fraudulent numbers had been deactivated.
Read more on the KDMARC Bulletin:
Click the button below to secure your email domain against spoofing for FREE with KDMARC!