A sophisticated phishing campaign observed since May 2020 has been increasingly targeting corporate leaders across various sectors, including manufacturing, real estate, finance, government, and technology. The primary objective is to extract sensitive information from these high-ranking individuals.
This campaign employs social engineering techniques, specifically by sending emails that falsely notify recipients about impending expiration of their Office 365 passwords. These messages contain embedded links that, when clicked, direct victims to a fraudulent page designed to capture their login credentials.
Research conducted by Trend Micro highlights that attackers often focus on C-suite executives, who may not possess extensive cybersecurity knowledge, increasing their susceptibility to these deceptive tactics. “The attackers target high-profile employees who may not be as technically adept and could easily be tricked into clicking malefic links,” the researchers noted in their analysis.
The attackers’ strategic targeting of high-ranking employees augments the potential value of compromised credentials, leading to further unauthorized access to sensitive organizational information and future attacks.
According to findings, email addresses targeted in this campaign are primarily sourced from LinkedIn. The attackers may have also acquired these lists from marketing services offering contact details of C-level executives.
The phishing kit in question, which has reached its fourth version (V4), was first launched in July 2019. It has been enhanced to counteract bot detection and provide alternate content during bot encounters. Remarkably, the alleged developer of the kit advertised its V4 version on a “business” Facebook page in 2020.
Beyond distributing the phishing kit, the actor has also been identified selling stolen account credentials of top executives through social media platforms. The investigation by Trend Micro also uncovered links to forums where stolen credentials for C-level executives are being sold, ranging from $250 to $500—a concerning trend previously reported in late 2022.
Investigators identified at least eight compromised phishing sites utilizing the V4 kit, suggesting a coordinated effort among different actors targeting CEOs, presidents, and board members across the U.S., U.K., Canada, Hungary, the Netherlands, and Israel. This broad targeting suggests a high level of organization and intent in these phishing efforts.
Trend Micro’s researchers emphasize the necessity for organizations to monitor the information their employees disclose on personal social media pages. Information made public can be exploited by malicious actors employing social engineering tactics against them.
