Cybercriminals are now launching a highly targeted phishing campaign impersonating Pfizer. The goal of these phishing emails seems to be stealing business and financial information.
What has happened?
According to a report from INKY, the phishing campaign started on August 15.
The attackers are using clean PDF attachments with newly registered domains that seem to be valid Pfizer online spaces. Then, they use spawn email accounts for email distribution to bypass email protection.
The domains were registered using the famous domain name registrar Namecheap that accepts cryptocurrency as a payment method, providing anonymity to threat actors.
The register domains (e.g. pfizer-nl[.]com) may easily fool unsuspecting users into believing it's the genuine online portal of Pfizer Netherlands.
The attack chain
The report provides additional information regarding the ongoing phishing campaign, in which the subject lines of emails involved invitations to bid, equipment supply-related topics, and urgent quotations.
Out of the 400 samples, the attackers mostly used a three-page PDF document discussing payment terms, due dates, and other information that is usually involved in a genuine request for quotation.
The attached PDF wasn't laden with phishing URLs or malware-dropping links that may alert email security tools. It didn’t include any typo that may raise suspicion.
The recipients were asked to send their quotes at the impersonated Pfizer domain addresses, for example, quotation@pfizersupplychain[.]com and quote@pfizerbvl[.]com.
The payment terms included in the PDF may imply that the attackers will request the recipient to share their banking info.
Phishers are always known for using current news or events to fool unsuspecting users into clicking on such emails. Thus, always contact the company through their official website and contact address. Never believe in anything that comes from suspicious or unknown sources and stay vigilant.