Two new phishing campaigns have been discovered in the last three weeks that have seen phishers sink to new depths. An active shooter phishing campaign has been discovered that uses fear and urgency to steal credentials, while a Syrian refugee phishing campaign takes advantage of compassion to boost the chance of victims paying ransom demands.
Mass shootings at U.S schools are increasing, with the latest incident in Parkland, Florida putting teachers and other staff on high alert to the danger of campus shootings. A swift response is essential when an active shooter alert is released. Law enforcement must be alerted quickly to catch the suspect and children and staff must be protected.
It is therefore no shock that fake active shooter threats have been seen in the phishing campaign. The emails are developed to get email recipients to click without thinking to see further information on the threat and have been developed to inflict fear and panic.
The active shooter phishing campaign was being deployed in a targeted attack on a single Florida school – an area of the country where teachers are very concerned about the threat of shootings, given recent events in the state.
Three active shooter phishing email variants were identified to the anti-phishing and security awareness platform supplier KnowBe4, all of which were used to send recipients to a fake Microsoft login page where they were asked to enter in their login details to view the alert. Doing so would give those credentials to the hacker.
The email subject lines used – although other variants could also be in seen – were:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
It is probably that similar campaigns will be carried out the future. Irrespective of the level of urgency, the same rules apply. Stop and consider any message before taking any action suggested in the email.
Phishing campaigns often target crises, major world events, and news of sports tournaments to influence users to click links or download email attachments. Any news that is current and attracting a lot of interest is more likely to lead to users taking the desired action.
There have been many Syrian refugee phishing campaigns run recently that take advantage of compassion to infect users with malware and obtain their credentials. Now cybersecurity researchers at MalwareHunterTeam have discovered a ransomware campaign that is using the drastic situation in Syria to convince victims to pay the ransom – By indicating the ransom payments will go to a very good cause: Assisting refugees.
Infection with what has been labelled RansSIRIA ransomware will see the victim shown a ransom note that claims all ransom payments will be sent to the victims of the war in Syria. A link is also given for a video showing the seriousness of the situation in Syria and links to a WorldVision document outlining the plight of children caught in the middle of the war.
While the document and images are authentic, the claim of the hackers probably is not. There is no evidence that any of the ransom payments will be sent to the victims of the war. If infected, the advice is not to pay and to try to recover files by other methods.
