Summary
In August 2023, Netskope Threat Labs highlighted an increase in downloads of PDF phishing attachments in Microsoft Live Outlook, caused by a series of phishing campaigns targeting users of the email service. We took a closer look and found that these campaigns are mostly Amazon-themed scams with a few Apple and IRS-themed phishing attempts sprinkled throughout. Just like in our previously reported phishing blog posts, attackers are abusing free services in these campaigns. In this campaign, they abuse conversion trackers and redirectors to evade detection. Additionally these campaigns specifically targeted personal Microsoft Live Outlook accounts in North America, Southern Europe, and Asia. Let’s take a closer look at the details of these campaigns:
Amazon-themed phishing campaign
Netskope Threat Labs recently analyzed the cause of an increase in malware downloads from Microsoft Live Outlook and found that a major contributor was a variety of Amazon-themed phishing PDF attachments. The sender purports to be a member of the Amazon support team notifying recipients that their account has been suspended due to incorrect billing information. In order to supposedly rectify the situation, the users need to update their billing information by clicking the hyperlink. The attacker is abusing different redirectors with URL shorteners to hide the actual malicious URL and evade detection.
Some of the phishing links used in these campaigns lead to a compromised website that mimics PayPal’s page, where they ask users to fill up personal information and credit card details.
In some of the other scam campaigns we analyzed, even though the PDF attachment is requesting their targets to re-enter their Amazon billing information, some of the links redirect to other sites unrelated to Amazon, like login pages for Ionos and Netflix.
A small subset of phishing PDF attachments we analyzed purport to be from Apple and used similar social engineering tactics and the same redirector domains and URL shorteners. Another phishing campaign uses an IRS-themed scam, claiming that the recipient has a tax refund that can be collected when they click the link. These campaigns also used social media redirectors, like Linkedin Smart Links and Twitter, as well as free ecommerce marketing email services to evade detection. Let’s dig a bit deeper into how attackers used these redirectors:
LinkedIn Smart Links and Twitter used as redirectors
The attackers on these phishing campaigns are abusing social media platforms LinkedIn and Twitter as redirectors to the phishing websites. Attackers abuse LinkedIn Smart Links, which is a feature to package and share files and websites to prospects and customers. However they were abused to redirect targets to phishing websites. Using both LinkedIn Smart Links and Twitter as redirectors can help bypass email scanners and can also provide insights about the users who click on the malicious links, which might be useful to them in their future phishing campaigns.