A new phishing campaign has been discovered that redirects users to a browser hijacker malware. The phishing technique employed in this campaign is also commonly used by tech support scams, that are known to use scare tactics to lure victims.

In this phishing campaign, an email message displays a fake error message and phone number. The message is designed to trick the user into thinking they are infected with malware and must pay for technical support. The scam was discovered by McAfee researchers, who believe that the campaign has special relevance to both consumers and corporate users since businesses heavily depend on emails for communication.

Attack method

Unlike many other sophisticated tech support phishing emails, in this particular campaign, the scammers directly engage with potential victims via the malicious emails, asking them to click on a box in order to view the contents of the email.

When users click on the box, they are redirected to a malicious URL, which, in turn requests users to enter in their credentials. The page also shows a pop message that reads: “Logged out due to inactivity, Sign in to continue”.

Meanwhile, the malware also shifts the browser to a full-screen display and does not allow users to close the fake outlook page.

“This behavior resembles ransomware since the user is unable to exit the browser as it enters full-screen mode,” McAfee researchers said in a blog.

Additional details

The email addresses identified in the attacks were all legitimate ones that were previously compromised by the threat actors. However, the email hashes were not shared by McAfee researchers as they contained customer information within them.

According to the security researchers, the domains used by the threat actors to propagate these phishing email were all purchased from Namecheap, which provides services on domain name registration and offers domain names that are registered to third parties for sale.

Staying safe from these scams

  • Links shared from an unknown source are not trustable. Always remember to verify the link by hovering the mouse pointer over the link to view the exact source page of the link.
  • In the event that you fall victim to such an attack and the fake credential theft page does not close, use the ctrl+alt+delete in your windows computer to end the respective browser process
Cyware Publisher