Rewterz Threat Alert – Fake Voicemail Phishing Campaigns

Severity

Medium

Analysis Summary

Voicemail message themed phishing emails showed an increase in July according to researchers. The objective of the emails is to have the recipient click the link to a recording of a voice message that was left for them. The emails are crafted to appear as if being automatically generated by the voice system. One of the emails analyzed led the recipient to a domain, named to appear as a Cisco domain, with the website pages mimicking those of a Cisco Unity Connection system and offered the victim a number of services to login with such as Gmail, Office 365, and Yahoo. Some of the emails led victims to a site which utilized Google’s reCAPTCHA service to prevent automated analysis of the phishing pages. In all the emails analyzed, JavaScript was used, and in some cases, external JavaScript files were used to render the HTML pages. Researchers notes that these campaigns are targeting enterprise users to obtain confidential data. Such data may be sold or may provide information to be used in further attacks to gain a foothold within the enterprise.

Impact

• Credential theft
• Exposure of sensitive data

Indicators of Compromise

URL

• http[:]//novoips[.]xyz
• http[:]//voced-mxd[.]xyz
• http[:]//voicenotes-sms[.]xyz
• http[:]//newvmwav-voi[.]xyz
• http[:]//xvxvoip[.]xyz
• http[:]//vmpla-yvmc[.]xyz
• http[:]//voip-sms[.]xyz
• http[:]//voipmails-srv[.]xyz
• http[:]//voipsms-ss[.]xyz
• http[:]//voicemail-srv[.]xyz
• http[:]//voicemail-sms[.]xyz

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.