Hurricane Michael phishing schemes see scammers trying to steal users’ credentials

• Scammers were found using specially crafted malicious PDF documents to trick victims into divulging credentials.
• The final phishing pages were found hosted on the Microsoft Azure Blob storage platform.

Hurricane Michael’s destruction has attracted online scammers looking to prey on people who want to make kind-hearted donations for affected people and property. A new phishing campaign capitalizing on the hurricane was found leveraging the blob storage on Microsoft Azure’s infrastructure to inexpensively host phishing emails.

The Federal Insurance and Mitigation Administration (FIMA) has released a notice warning victims recovering from the disaster caused by Hurricane Michael about these phishing campaigns. FIMA also warned victims to beware of frauds and scams when seeking disaster assistance.

Phishing email’s taking advantage of Hurrican Michael attempt to steal credit card numbers used for fake donations or steal funds directly via fraudulent donations. Most importantly, these campaigns are found to leverage the blob storage on Microsoft Azure infrastructure.

Malicious email attachments

Many of the phishing campaigns involved with Hurrican Michael were found using malicious PDF documents attached to emails. Scammers used embedded links and social engineering methods to trick victims into clicking these malicious links. Some of the campaigns have also been using stolen branding images and text form actual government agencies.

Once a victim has clicked on the malicious links, he/she is redirected to a secondary link shortener - bit.ly - and then, redirected to the final phishing landing page. Security researchers said that the clickthrough rates appear to be relatively low for these links, with just over 500 total clicks for the three malicious URL’s observed in a single campaign.

Some of the file names used in malicious PDF attachments include:

• florida hurricane michael emergency and recovery procurement.pdf
• florida hurricane michael emergency and disaster recovery procurement.pdf
• vdot hurricane michael emergency and recovery procurements.pdf

Phishing pages hosted using Microsoft Azure blob

Although these links have low click rates, the final URL’s are hosted on official windows[.]net domains since August this year.

• https:[//]dropboxembright19604.blob.core.windows[.]net
• https:[//]onedriveunfragrant26.blob.core.windows[.]net
• https:[//]onedrivechowry495462.blob.core.windows[.]net

Researchers said that this tactic used by scammers is inexpensive but effective for scams purporting to be legitimate Microsoft services. Many other phishing domains abusing the Microsoft blob hosting services was also published by Proofpoint researchers, in a blog post.

All these pages trick victims into entering their email credentials. Phishing campaigns that circulate in the wild during natural disasters are generally focused on credential theft, targeting both corporate and personal emails, rather than credit card or financial theft.

Hence, those wishing to make charitable donations or seek assistance should be wary of charities with names that resemble legitimate and nationally known charity organizations and government websites. Recipients who are used to submitting email credentials to log into multiple web services should quit the practice.

“Fraud and scams always appear around major events, whether the Olympics, presidential races, or hurricanes. These events serve as lures for both related and unrelated phishing, fraudulent transactions, and straight theft,” Proofpoint researchers said. “Threat actors are capitalizing on both this desensitization and our desire to do good. While none of these are new tactics on their own, the combination is of interest to defenders and potential victims.”