Voicemail phishing campaign targets users’ login credentials

• A new phishing campaign pretending to be a voice delivery notification from RingCentral tricks users into entering their passwords twice.
• This voicemail phishing campaign uses EML attachments and contains Preview, Listen, and Save Audio links that all go to the same webpage.

A new phishing campaign pretending to be a voicemail notification from RingCentral prompts users to log in to retrieve it. This campaign tricks users into entering their passwords twice in order to confirm that they are providing the correct login credentials.

These phishing emails have subject lines such as ‘Voice: Message’, ‘Voice Delivery Report’, or ‘PBX Message’. “New Voicemail message from (EXT 61). Double click on the attached file to listen,” the body of the email read, BleepingComputer reported.

EML Attachments

This voicemail phishing campaign uses EML attachments and contains Preview, Listen, and Save Audio links that all go to the same webpage.

• Once users click on the EML attachment, it will be displayed as a preview in the Outlook client instead of opening in their own Window.
• This makes it easier to trick users into clicking on the Preview, Listen, or Save Audio links.
• Upon clicking on the links, users will be redirected to a phishing web page that pretends to be a Microsoft Account login page.
• This phishing login page urges users to log in.
• Upon entering passwords to log in, the page throws a message stating you have entered a wrong password and prompts users to enter passwords again.
• Upon entering the password a second time, the phishing page will play an mp3 recording of a voicemail. This adds a degree of legitimacy to the email in order to prevent users from becoming suspicious.

Passwords entered twice

Prompting users to enter their passwords twice is to double-verify the passwords entered by them. Phishing researcher NullCookies told BleepingComputer that only a “subset of kits do that”.

“Continuously showing an incorrect password alert can also be used to avoid redirecting to the impersonated company’s website. This gives the phishing scam additional concealment,” NullCookies said.

Recommendations

• It is always best to not open email or any attachment from an anonymous sender.
• It is recommended to contact the sender to verify the email before opening it.
• In case if anyone has opened the attachment, check the address in the browser's address bar to whether it is legitimate.
• If you find the address to be suspicious, it is recommended to close the browser and not continue.
• In case if you’ve fallen for the phishing scam, ensure that you change your passwords.