{"id":17965,"date":"2021-02-03T01:24:34","date_gmt":"2021-02-02T21:24:34","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/the-hunt-for-mailing-lists\/17965\/"},"modified":"2021-02-03T01:25:00","modified_gmt":"2021-02-02T21:25:00","slug":"the-hunt-for-mailing-lists","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/the-hunt-for-mailing-lists\/17965\/","title":{"rendered":"The hunt for mailing lists"},"content":{"rendered":"

As dangerous as it is when consumers think they\u2019re too boring to be of interest to cybercriminals, it\u2019s worse to hear the same from SMB owners. When they neglect basic protection, that suits cybercriminals just fine \u2014 their targets aren\u2019t always what you might expect. One example comes from a message that fell into our mail trap recently: phishing aimed at hijacking an e-mail service provider (ESP) account \u2014 for mailing lists.<\/p>\n

How mail service phishing works<\/h2>\n

The scam begins with a company employee receiving a message confirming payment for a subscription to an ESP. The link in the message is supposed to give the recipient access to proof of purchase. If the recipient is indeed a client of the ESP (and the phishing does target actual clients), they are likely to click through, hoping to figure out the anomalous payment.<\/p>\n

Although the hyperlink seems to lead to an ESP page, it really points somewhere else entirely. Clicking it takes victims to a fake site that looks very much like a legitimate login page.<\/p>\n

\"Two<\/a>

Two login screens. Fake page is on the left.<\/p><\/div>\n

At this point, readers won\u2019t be surprised to learn that any data entered on the fake login page goes straight to the cybercriminals behind the scam. Note, however, that in addition to the misdirection, the fake site transmits the data it harvests over an unprotected channel. The attackers didn\u2019t even bother to replicate the CAPTCHA, although they did insert an example in the e-mail field. We should see a flag\u00a0 in the lower right corner as well. But most users are unlikely to spot those discrepancies.<\/p>\n

Why losing access to an ESP account is dangerous<\/h2>\n

In the best-case scenario, having gained control over an ESP account, the attackers will use the list of client e-mail addresses to send spam. Industry-specific mailing lists fetch a higher price on the black market than simple collections of random e-mail addresses, however; knowing a company\u2019s line of work helps cybercriminals tailor their spam.<\/p>\n

Given the cybercriminals\u2019 phishing specialty, it is likely that everyone on the stolen lists will receive a phishing e-mail that appears to come from the company. At that point, whether the recipient subscribed to a newsletter or is actually a client, they are likely to open a message, read it, and even click on a link in it. The sender doesn\u2019t seem suspicious.<\/p>\n

Masking methods<\/h2>\n

Studying the phishing e-mail in detail, we found it had been sent through a mailing service, but a different one (a competitor of the ESP from which it purported to come). For the logic behind that decision, see our post \u201cPhishing through e-mail marketing services<\/a>.\u201d Interestingly, to prolong the life of the campaign, the cybercriminals even made a landing page for their \u201cmarketing firm.\u201d (The page title, \u201cSimple House Template,\u201d isn\u2019t particularly convincing, though.)<\/p>\n

<\/a>

A landing page for the fake \u201cmarketing firm\u201d.<\/p><\/div>\n

The foregoing suggests the attackers might have detailed knowledge of the mechanisms of various mailing services, and they might attack other ESPs\u2019 clients as well.<\/p>\n

How to guard against phishing<\/h2>\n

To avoid getting hooked, follow the standard tips:<\/p>\n