Phishers Now Impersonate Pfizer to Target Victims

What has happened?

• The attackers are using clean PDF attachments with newly registered domains that seem to be valid Pfizer online spaces. Then, they use spawn email accounts for email distribution to bypass email protection.
• The domains were registered using the famous domain name registrar Namecheap that accepts cryptocurrency as a payment method, providing anonymity to threat actors.
• The register domains (e.g. pfizer-nl[.]com) may easily fool unsuspecting users into believing it's the genuine online portal of Pfizer Netherlands.

The attack chain

• Out of the 400 samples, the attackers mostly used a three-page PDF document discussing payment terms, due dates, and other information that is usually involved in a genuine request for quotation.
• The attached PDF wasn't laden with phishing URLs or malware-dropping links that may alert email security tools. It didn’t include any typo that may raise suspicion.
• The recipients were asked to send their quotes at the impersonated Pfizer domain addresses, for example, quotation@pfizersupplychain[.]com and quote@pfizerbvl[.]com.
• The payment terms included in the PDF may imply that the attackers will request the recipient to share their banking info.

Conclusion