Attackers have launched a new phishing campaign, and it’s insidious. This latest series of attacks uses text messages sent to men’s mobile devices. The text appears to be a legitimate invitation from a woman he knows to view her (non-existent) nude photos and videos via a web link.
The attackers are using women from the victims’ contacts list to bait their hook and lure in the victim, offering a live chat. The text even includes a real profile picture of the woman—copied from her social media account.
Hackers created thousands of custom web pages
The attackers have gone to great lengths to carefully target individuals by using a woman known to the victim and building custom web pages that, like the texts, show a real picture of the woman taken from social media. Initial research confirms that attackers have created tens of thousands of these custom, malicious web pages, and there may be many more.
Past data breaches likely provided attackers’ personalized info
Targeted phishing like this is called spearphishing. Because it’s customized, it can be extremely successful in tricking victims. Spearphishing campaigns this large aren’t an everyday thing. The attackers clearly have a lot of data to work with, and have spent a lot of time preparing for it. It’s currently unknown where the attackers obtained their information, but given the number and size of past data breaches, the fact that they have it is not surprising.
The domain name used in the attack was created just yesterday, but it’s important to remember that the particular web site used for an attack will change many times, at any time. You should always treat any web link you receive with suspicion. Don’t click on any links sent to you unless you’re expecting them, not even to investigate, even if it appears to come from a legitimate source—in this case, supposedly a friend!
The first of many?
These attackers won’t go away. They can turn this same data into any number of targeted attacks, and they have demonstrated the lengths they’re willing to go through to set up their scams. Like any crime ring, they will try to get the most out of your stolen data by creating as many new attacks as they can think of.
How the attack works
A man receives a text message, appearing to be an invitation from a woman he knows. The attackers use the man’s full name and the woman’s first name and last initial. The invitation contains a web link that promises the victim nude pictures and videos of the woman.
When the man clicks on the link, they’re taken to a web page (see below) that includes the woman’s name and a profile photo from their social media account. There’s also a “teaser” picture or video that shows someone’s legs in the act of disrobing. That teaser photo is, of course, fake, but it serves its purpose.
Like most phishing attacks, this one tries to create a sense of urgency, saying the nude pictures and videos will disappear soon. It also requires the victim to sign up for an account to view them. The website asks for username, password, and email address. (See log-in page below.) It could also serve up malware to attack your computer or smartphone, or any number of other attacks.
How do the attackers make sure the victim goes to the web page made specifically for him? Each malicious text message includes a unique code as part of the web link, a code that’s sent to only that specific victim. It takes him directly to the web page created just for him. If anyone else happens across the web site, they’re redirected to a general, familiar website. Likewise, if a victim tries to go to his custom web page more than once, he’s redirected to a general website.
Phishing attacks are nothing new, but as the public has become savvier, criminals are using new techniques—like this. Don’t let your guard down.
Posted by Joe Gervais, LifeLock cybersecurity expert
Attempt to Capture Log-in Information: