The hunt for mailing lists

Cybercriminals are sending phishing e-mails to hijack access to ESP accounts.

As dangerous as it is when consumers think they’re too boring to be of interest to cybercriminals, it’s worse to hear the same from SMB owners. When they neglect basic protection, that suits cybercriminals just fine — their targets aren’t always what you might expect. One example comes from a message that fell into our mail trap recently: phishing aimed at hijacking an e-mail service provider (ESP) account — for mailing lists.

How mail service phishing works

The scam begins with a company employee receiving a message confirming payment for a subscription to an ESP. The link in the message is supposed to give the recipient access to proof of purchase. If the recipient is indeed a client of the ESP (and the phishing does target actual clients), they are likely to click through, hoping to figure out the anomalous payment.

Although the hyperlink seems to lead to an ESP page, it really points somewhere else entirely. Clicking it takes victims to a fake site that looks very much like a legitimate login page.

Two login screens. Fake page is on the left.

Two login screens. Fake page is on the left.

At this point, readers won’t be surprised to learn that any data entered on the fake login page goes straight to the cybercriminals behind the scam. Note, however, that in addition to the misdirection, the fake site transmits the data it harvests over an unprotected channel. The attackers didn’t even bother to replicate the CAPTCHA, although they did insert an example in the e-mail field. We should see a flag  in the lower right corner as well. But most users are unlikely to spot those discrepancies.

Why losing access to an ESP account is dangerous

In the best-case scenario, having gained control over an ESP account, the attackers will use the list of client e-mail addresses to send spam. Industry-specific mailing lists fetch a higher price on the black market than simple collections of random e-mail addresses, however; knowing a company’s line of work helps cybercriminals tailor their spam.

Given the cybercriminals’ phishing specialty, it is likely that everyone on the stolen lists will receive a phishing e-mail that appears to come from the company. At that point, whether the recipient subscribed to a newsletter or is actually a client, they are likely to open a message, read it, and even click on a link in it. The sender doesn’t seem suspicious.

Masking methods

Studying the phishing e-mail in detail, we found it had been sent through a mailing service, but a different one (a competitor of the ESP from which it purported to come). For the logic behind that decision, see our post “Phishing through e-mail marketing services.” Interestingly, to prolong the life of the campaign, the cybercriminals even made a landing page for their “marketing firm.” (The page title, “Simple House Template,” isn’t particularly convincing, though.)

A landing page for the fake “marketing firm”.

The foregoing suggests the attackers might have detailed knowledge of the mechanisms of various mailing services, and they might attack other ESPs’ clients as well.

How to guard against phishing

To avoid getting hooked, follow the standard tips:

  • Avoid clicking links in unexpected messages, in particular any asking you to log in to a service. Even if the message looks legitimate, just open a browser and manually type in the name of the site.
  • Check site security. If your browser does not recognize a site as secure, then someone can intercept your username and password.
  • Learn how to spot standard signs of phishing, and then teach your entire staff how to do the same. You don’t need to create your own classes; online training platforms are available for that purpose.
  • Use specialized solutions to filter out spam and phishing from corporate mail.
  • Install and update security solutions on all work devices, so that even if someone clicks a phishing link, the danger will be averted.