People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.

How the New Nordics Credential Stealing Campaign Works

As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.

This is how a typical email looks like:

Fra: [sender email address] Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj


Finn vedlagte dokument

Vis Dokument ({7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&

Med vennlig hilsen


Phone, Email, Company name etc.]

Translated into English, this email would be this:

From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High


Find the attached document

View Document ({7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)

With best regards


Phone, Email, Company name etc.]

What happened next, if the user clicked that link?

They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.

screenshot of fake document

The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.

You can watch a slideshow of what happened here (just move your mouse left-right to scroll through the screenshots).

A day later, the Nordics credential stealing campaign grew a new form. This time, the malicious document link was this one, instead:{b70a453e-0c44-45f5-8a31-01d022e88a43}&action=view&

In both cases, the malicious portal behind the fake links was

The domain was first registered in August 2013 and last updated in August 2019 (probably when the phishing campaign commenced). Its IP address is The person/entity who registered the domain is Ms. Jasmine Thomas, with a US address.

It is highly possible that the hackers who are distributing the credentials phishing campaign are not the rightful owner of the domain, but a 3rd party who stole access to the website in order to use it for malicious purposes. Or that the identity of Jasmine Thomas is just a front for the malicious group.

How to Stay Safe from the New Nordics Credential Stealing Campaign

If you have an active Heimdal™ Threat Prevention or Endpoint Security Suite subscription you are automatically protected from the malicious links above.

But if you’re not – and even if you are – make sure you’re ready for the next round. This campaign or another one like it will be back.

The best way to deal with them is to stay on your guard:

  • Don’t open documents and don’t click any links in emails from people you don’t know;
  • Be proactive about your cybersecurity and have a DNS traffic filter (like Heimdal™ Threat Prevention- either for Home or Enterprise);
  • Stay informed about credential stuffing (why criminals might want to steal your credentials) and about phishing in general;
  • If you are part of managing an organization (which means you and your employees will be huge targets for all sorts of phishing attempts), learn about business email compromise (BEC) and about Heimdal™ Email Security, a cybersecurity solution specially designed to block BEC attacks of any kind.

Stay safe!

What is Spear Phishing? Definition, Examples, Prevention Strategies

Everything You Need to Know About Credential Stuffing and How to Prevent It

Scam Alert: Digi Phishing Campaign Detected, Asking Credentials for a Prize

Leave a Reply

Your email address will not be published. Required fields are marked *