Researchers warn of emails pretending to help business employees upgrade to Windows 10, & then stealing their Outlook emails & passwords.
An ongoing phishing attack puts pressure on enterprise employees to upgrade their Windows 7 systems. In reality, they are redirected to a fake Outlook login page that steals their credentials.
Lagging Behind
Windows 7 reached end-of-life (EOL) on Jan. 14, with Microsoft urging enterprises to upgrade to its Windows 10 operating system. While Windows 10 was released in 2015, the issue of upgrading end-user machines mean that many companies have been lagging behind with updates.
“This explains why enterprises wait, sometimes for years, before taking the plunge,” observed Kaleb Kirk, researcher with Cofense in a Friday analysis. “Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.”
The phishing emails in question, entitled “Re: Microsoft Windows Upgrade,” use the “re” prefix, which researchers said may instil a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.
Outdated
The email tells recipients, “Your Office Windows computer is Outdated & an Upgrade is scheduled for replacement Today,” & includes a schedule (some strange capitalisation & spacing is utilised, serving as ‘red flags’ that the email is not legitimate).
It then tells users, “To Upgrade your Windows 10, please open your browser to the Windows 10 Upgrade Project Site,” pointing to a URL. This link then takes the recipient to the phishing landing page.
Below the URL, the emails included additional detail telling the user what they can expect from the upgrade process, & a colour-coded list with items like: “COVID-19 employee symptom tracker,” “access your pay slips & P60s” & “access the new staff directory.”
Genadiy
One problem in the phishing email is that the “From:” line shows a compromised account titled “Genadiy,” which may be a warning sign for the intended victim, as it is not from their company domain’s IT department. Researchers commented that the phishing scam would be more believable if the sender were instead more generic, such as “Helpdesk.”
“We give this threat actor 2 gold stars for the table with made-up laptops, fake serial numbers, building, etc.,” suggested Kirk. “It applies a good sense-of-urgency ploy using the highlighted ‘Today’ & the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.”
Phishing
If recipients click on the URL in the email, they are taken to the phishing landing page, which looks like an Outlook Web App (OWA) login page asking for their email address, domain/username & password.
However, this is where the phishing scam appears to fall apart. Researchers commented that the page “gets a D- for lack of effort,” stressing that attackers “wasted a valid SSL certificate on a terrible version of an OWA login page.”
If recipients overlook the red flags surrounding this fake Outlook login page, & enter their credentials, they are then redirected to the Microsoft page about the discontinued support of Windows 7.
Cisco’s Webex
Researchers explained that phishing emails have relied on upgrade, & update themed lures, for a while. In April, a phishing campaign roped in victims with a recycled Cisco security advisory that warned of a critical vulnerability.
The campaign asked victims to “update,” then stole their credentials for Cisco’s Webex web conferencing platform instead.
Official Support
However, with Windows 7 ending official support, enterprises can expect an increase with better, more sophisticated versions of this kind of phishing attack, they outlined.
“We look at phishing emails that bypass commercial gateways all day, every day,” mentioned Kirk. “Most of them are hastily slapped together. This lure needs improvement, but it is not completely awful…. Will we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/
