SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries
Users are lured with a fake document sent via email. How this new phishing campaign works and how to stay safe.
People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.
How the New Nordics Credential Stealing Campaign Works
As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.
This is how a typical email looks like:
Fra: [sender email address]
Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj
Hei
Finn vedlagte dokument
Vis Dokument (https://amagauto-my.sharepoint.com/personal/senad_ljubuncic_amag_ch/_layouts/15/WopiFrame.aspx?sourcedoc={7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=target%28Document.one%7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82%2FPDF%20002%7C4c8df191-241d-4d43-91b6-b3658f3bcdca%2F%29)
Med vennlig hilsen
[Name
Phone, Email, Company name etc.]
Translated into English, this email would be this:
From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High
Hi
Find the attached document
View Document (https://amagauto-my.sharepoint.com/personal/senad_ljubuncic_amag_ch/_layouts/15/WopiFrame.aspx?sourcedoc={7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)
With best regards
[Name
Phone, Email, Company name etc.]
What happened next, if the user clicked that link?
They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.
The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.
You can watch a slideshow of what happened here (just move your mouse left-right to scroll through the screenshots).
A day later, the Nordics credential stealing campaign grew a new form. This time, the malicious document link was this one, instead: https://farmtools-my.sharepoint.com/personal/johanna_ratia_farmtools_fi/_layouts/15/WopiFrame.aspx?sourcedoc={b70a453e-0c44-45f5-8a31-01d022e88a43}&action=view&wd=target%28Document%20Library.one%7C53cc22f2-1e03-4b9b-8bc5-9b8bc9980cb7%2FScan0000495%7C5773954c-e41f-4956-859b-56edd77199ed%2F%29
In both cases, the malicious portal behind the fake links was https://lazzysisland.com.
The domain lazzysisland.com was first registered in August 2013 and last updated in August 2019 (probably when the phishing campaign commenced). Its IP address is 162.241.218.160. The person/entity who registered the lazzysisland.com domain is Ms. Jasmine Thomas, with a US address.
It is highly possible that the hackers who are distributing the credentials phishing campaign are not the rightful owner of the domain, but a 3rd party who stole access to the website in order to use it for malicious purposes. Or that the identity of Jasmine Thomas is just a front for the malicious group.
How to Stay Safe from the New Nordics Credential Stealing Campaign
If you have an active Heimdal™ Threat Prevention or Endpoint Security Suite subscription you are automatically protected from the malicious links above.
But if you’re not – and even if you are – make sure you’re ready for the next round. This campaign or another one like it will be back.
The best way to deal with them is to stay on your guard:
- Don’t open documents and don’t click any links in emails from people you don’t know;
- Be proactive about your cybersecurity and have a DNS traffic filter (like Heimdal™ Threat Prevention- either for Home or Enterprise);
- Stay informed about credential stuffing (why criminals might want to steal your credentials) and about phishing in general;
- If you are part of managing an organization (which means you and your employees will be huge targets for all sorts of phishing attempts), learn about business email compromise (BEC) and about Heimdal™ Email Security, a cybersecurity solution specially designed to block BEC attacks of any kind.
Stay safe!