COMMUNICATION AND PR OFFICER

People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.

How the New Nordics Credential Stealing Campaign Works

As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.

This is how a typical email looks like:

Fra: [sender email address] Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj

Hei

Finn vedlagte dokument

Vis Dokument (https://amagauto-my.sharepoint.com/personal/senad_ljubuncic_amag_ch/_layouts/15/WopiFrame.aspx?sourcedoc={7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=target%28Document.one%7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82%2FPDF%20002%7C4c8df191-241d-4d43-91b6-b3658f3bcdca%2F%29)

Med vennlig hilsen

[Name

Phone, Email, Company name etc.]

Translated into English, this email would be this:

From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High

Hi

Find the attached document

View Document (https://amagauto-my.sharepoint.com/personal/senad_ljubuncic_amag_ch/_layouts/15/WopiFrame.aspx?sourcedoc={7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)

With best regards

[Name

Phone, Email, Company name etc.]

What happened next, if the user clicked that link?

They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.

screenshot of fake document

The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.

You can watch a slideshow of what happened here (just move your mouse left-right to scroll through the screenshots).

A day later, the Nordics credential stealing campaign grew a new form. This time, the malicious document link was this one, instead: https://farmtools-my.sharepoint.com/personal/johanna_ratia_farmtools_fi/_layouts/15/WopiFrame.aspx?sourcedoc={b70a453e-0c44-45f5-8a31-01d022e88a43}&action=view&wd=target%28Document%20Library.one%7C53cc22f2-1e03-4b9b-8bc5-9b8bc9980cb7%2FScan0000495%7C5773954c-e41f-4956-859b-56edd77199ed%2F%29

In both cases, the malicious portal behind the fake links was https://lazzysisland.com.

The domain lazzysisland.com was first registered in August 2013 and last updated in August 2019 (probably when the phishing campaign commenced). Its IP address is 162.241.218.160. The person/entity who registered the lazzysisland.com domain is Ms. Jasmine Thomas, with a US address.

It is highly possible that the hackers who are distributing the credentials phishing campaign are not the rightful owner of the domain, but a 3rd party who stole access to the website in order to use it for malicious purposes. Or that the identity of Jasmine Thomas is just a front for the malicious group.

How to Stay Safe from the New Nordics Credential Stealing Campaign

If you have an active Thor Foresight or Thor Premium subscription you are automatically protected from the malicious links above.

But if you’re not – and even if you are – make sure you’re ready for the next round. This campaign or another one like it will be back.

The best way to deal with them is to stay on your guard:

  • Don’t open documents and don’t click any links in emails from people you don’t know;
  • Be proactive about your cybersecurity and have a DNS traffic filter (like Thor Foresight – either for Home or Enterprise);
  • Stay informed about credential stuffing (why criminals might want to steal your credentials) and about phishing in general;
  • If you are part of managing an organization (which means you and your employees will be huge targets for all sorts of phishing attempts), learn about business email compromise (BEC) and about MailSentry™, a cybersecurity solution specially designed to block BEC attacks of any kind.

Stay safe!

digi phishing campaign cover photo
2019.10.08 QUICK READ

Scam Alert: Digi Phishing Campaign Detected, Asking Credentials for a Prize

2019.07.24 SLOW READ

What Is Spear Phishing and How Do You Prevent It?

cover for credential stuffing attacks insight
2019.03.19 INTERMEDIATE READ

What Is a Credential Stuffing Attack and How to Protect Yourself from One

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP