Resurgence of Vacation Request-Themed Phishing

A new report reveals the return of a phishing campaign using paid time off (PTO) and vacation requests as a lure.

On May 23, 2023, Cofense researchers reported a phishing campaign with threat actors leveraging paid time off (PTO) and vacation requests as a lure theme.

Context

The report is based on a Phishing Defence Center (PDC)-reported a phishing campaign where threat actors sent emails to users claiming to be from ‘HR Departments’ and providing the users with links to submit annual leave requests.

Technical Details

The campaign’s infection chain proceeds as follows:

  1. “The user is informed via email that they must log in to their HR portal to verify their dates of annual leave.”
  2. “Once the user selects the URL in the email, they will be directed to the login page.”
  3. The login page mimics the targeted employee’s company login page with branding and color schemes.
  4. “Once the user has entered and submitted their credentials to the form, it will fail on the first two attempts. This is a technique used by the threat actor to ensure the user is typing the password correctly or to use a different password in an attempt to gather multiple credentials. At the third attempt, the credentials will appear to have been processed successfully and the user is redirected to the company’s legitimate home page.”

Community Impact

Given the approach of summer, it is likely that similar phishing lures will become more widely used in the next months. The lure, when combined with skillfully crafted malicious login pages, could help similar campaigns to be more effective in harvesting employee credentials. Organizations are encouraged to promote cybersecurity awareness among employees, especially phishing tactics awareness.

IOCs

Cofense researchers provided the following indicators of compromise (IOCs):

Indicator

Type

hXXps://prod-api[.]mailtag[.]io/link
-events?mt__url=hXXps%3A%2F%2
Fgeocities[.]ws%2F2067k%2Ff3002k
300r820-382200h%2F123[.]shtml&m
t__id=b5f5d386-9c3c-4383-9223-848
13d047f98# 

URL

hXXps://20se-infura–ipfs-io[.]translate
[.]goog/3cbab51d-6f44-4569-b131-140
fd3802204/ajax?_x_tr_sl=auto&_x_tr_t
l=en&_x_tr_hl=en-US&_x_tr_pto=wapp
&u=hXXps%3A%2F%2Ffortonemold[.]com
%2FM6%2FwebGRqZGpkbmF1d2llZDA5
MzAzMDNtZG1kbWRtZA%2FwebGRqZG
pkbmF1d2llZDA5MzAzMDNtZG1kbWRtZ
A[.]php%3Femail%3 

URL

34[.]211[.]43[.]45 

IP Address

52[.]35[.]199[.]214 

IP Address

172[.]253[.]122[.]132 

IP Address

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.