The attackers have been found to be conducting an advanced targeted phishing campaign to steal victims’ business and financial information by impersonating Pfizer.
Phishers are always trying new things, and they like to mention famous brand names among them. In this attack, Black Hat used both high-tech and low-tech methods to evade the anti-phishing radar. Using a newly created freeware domain, it was set up to send phishing emails that would not trigger rudimentary email defenses (such as DKIM and DMARC analysis of SPF records). It also means simple PDF attachments with no poison links or malware in the attachment or the email itself. These elements are designed not to trigger anti-phishing analysis.
Pfizer is a well-known pharmaceutical company, famous for producing one of the few currently available mRNA vaccines against COVID-19.
Phishers aim to take advantage of widely known brand names, which dramatically increases their chances of success over impersonating a fictitious company.
In a new report from INKY, the threat group describes spoofing Phizer in a phishing email attack that began around August 15, 2021.
The group behind this campaign is diligently conducting a phishing operation, combining “harmless” PDF attachments with a newly registered domain that looks like Pfizer’s official online space.
Then, they generate email accounts from these domains and deliver phishing emails to bypass email protection solutions.
These domains are registered through Namecheap, which allows actors to remain anonymous because they can use cryptocurrency as a payment method.
Here are some of the examples that INKY has checked.
- pfizer-nl[.]. com
- pfizer-bv[.]. org
- pfizer-htlinc[.] xyz
- pfizertenders[.] xyz
pfizer-nl[.]. com can be mistaken for the official online portal of the Netherlands, where Pfizer has its offices.
Subtle invitation
The subject line of the email is usually an urgent quote, an invitation to tender, or a topic related to the supply of industrial equipment.
New variants of COVID-19 are spreading rapidly, making it easier for phishers to include urgency in these emails.
In most of the 400 cases identified by INKY analysts, phishing professionals used a perfectly laid out 3-page PDF document to explain the details that make up a legitimate request for quote, including due dates and payment terms.
This PDF does not contain any malware download links or phishing URLs that would alert an email security tool, nor does it contain any typos that would indicate fraudulent activity.
However, recipients can use quote@pfizerbvl[.]. com or quote@pfizersupplychain[.]. com, and other spoofed Pfizer domain addresses to send the quote.
The exact purpose of this campaign is unclear, but the inclusion of payment terms in the PDF suggests that the threat actors will require recipients to share their banking information at some point.
If payment information is provided, that information may be used by the attacker in future BEC campaigns against customers of the target company.
It also has the effect of easing the recipient’s guard, since the attacker does not request personal information in the initial email.
Replying to such emails will lead to further deception of the victim.
If you receive an email with an unusual bid request, it is safe to contact the company’s regular phone number and ask to speak with a representative.
If the person does not work for the company or is not aware of these emails, ignore the request and delete the email.
Comments