Submit Your Credentials Now! Timed Phishing Attack
The News
An interesting blog post from the folks over at Cofense detailed a phishing campaign that utilizes a "hurry up now!" countdown timer to force phishing victims to provide credentials. The phishing campaign is from an alleged security company called "DNS Domain Name Server" which, as Cofense pointed out, is "techy" enough to make unsuspecting users think it might be real. The email asks recipients to verify a "suspicious sign in" from an unsuspecting geolocation. We know what happens next..the user is pushed to provide their credentials.
However, in this case, the victim arrives at a web page that has a loop of randomly-generated user accounts, all with the victim domain, "being deleted in realtime". There's a countdown timer which is meant to, as you can assume, force the user to panic and provide their credentials ASAP to "avoid deletion." I grabbed a copy of this picture from Cofense's blog, see below:
After providing their credentials in a frenzy, users are redirected to a choice of "try again" or their company homepage.
Hot Take
Seeing a "crossover" of techniques/tactics amongst threat actors and/or threat objectives is always an interesting observation. As Cofense pointed out, we're often used to seeing countdown-based techniques in ransomware cases, meant to force payment quickly. I think this is an interesting move by adversaries to collect credentials for later usage, it clearly shows some intention in the campaign. I'd be curious how widespread this campaign is.
I wonder what's driving it - do they need more credentials, and are thus resorting to this type of technique? Or is it simple "let's see if this works"? The motives behind why threat actors do what they do is always an interesting study - I'll be keeping an eye out to see if something like this is observed much more often.
Recommended by LinkedIn
What To Do Next?
The problem with phishing is that an email like this may easily bypass email security defenses. There's our first false sense of security - if its in my inbox, it's legitimate, right? Of course, we know this isn't the case. This is yet another chance for user education.
The key elements of this email are one that deserve some analysis, perhaps even case studies, for users. Look at the email's constant rushed, hurriedness. "PROVIDE THIS NOW!" are concerning statements that users should look out for. In fact, I'd go as far as to say "If you see an email with extreme hurriedness in it, send it to the security team."
On that same note - another potential point for user education is consider the email being sent, and who it should be sent to? Would an invoice from a legitimate vendor be sent, at random, to someone in the HR department (just an example)? Absolutely not. Similarly, would a legitimate "your accounts are being deleted" email be sent to someone in marketing (just an example)? No - they'd be sent to the appropriate technical parties.
As always - if it doesn't feel right, don't click. Don't submit your credentials. Ask someone to validate for you.