Swish Data, a member of the Defense Industrial Base (DIB) and actively engaged in maintaining the highest level of organizational cybersecurity, has been working diligently implementing the Cybersecurity Maturity Model Certification (CMMC) policies and practices. As we continuously evolve our capabilities under the Awareness and Training (AT) requirements, we regularly learn and share information within the Cybersecurity world. With that in mind, this blog will cover the latest phishing/corporate secret threat we have seen which appears to be a new take on the old playbook and potentially a very dangerous threat to organizations that have not trained users for this method.
On March 31st, 2021, Kevin Beaumont, a Senior Threat Intelligence Analyst at Microsoft shared the following on Twitter.
Really crazy bit of phishing targeting companies across the US –
You provide your work credentials (current or past employer), and if they validate they give you a $500 PayPal transaction and $25 for each month they continue to work.
workplaceunite/.com and workplaceunited/.com pic.twitter.com/VEBnL7vGQD
— Kevin Beaumont (@GossiTheDog) March 31, 2021
Traditionally, we think of Phishing as an enticement for users to enter credentials for Corporate applications on a misrepresented page that may mimic the targeted organization. These evolving methods appear to directly solicit corporate logins, for data mining purposes, from users on behalf of organizations with names like the following shared by @BushidoToken:
Some more linked to this campaign:
— Will | Bushido (@BushidoToken) April 1, 2021
They fake legitimacy by presenting themselves as a proprietary platform for “workers with universal access to their income and work data and control over who uses this data, how and when.” Participation is voluntary and the usage of your corporate credentials is for the purpose of “running compatibility tests with the Work Accounts to further build and improve” the platform. In addition, upon successful corporate credential verification, the voluntary “phishee” will receive an up to $500 payment with monthly $25 payments for each additional month that the credentials are valid.
Multiple researchers joined in with similar campaigns targeting organizations such as Walmart, J.P. Morgan Chase, The Hartford, and T-Mobile. Additional similarly malicious domains are listed below:
Probably also related (same NS and IP):
— Martijn Grooten (@martijn_grooten) April 1, 2021
Swish Data, like most organizations, maintains an “Acceptable Use” policy whose terms are provided as regular reminders. New methods of credential solicitation warrant emphasis and explanation to users both in the form of an alert as well as integration into the existing Cybersecurity Training programs. As a trusted advisor to customers deeply integrated with vendors in the security space, Swish Data proactively engages our vendors to ensure their platforms integrate mitigations where applicable.
How are you preparing your work force for similar solicitations of access to corporate systems?
Can you currently quantify how many of your employees would fall for something similar?
Do you have disgruntled or terminated employees that maintain access to corporate systems that may be at risk?
If you are interested in a further discussion on this or any other security related topic, please contact our Swish security team at (703) 635-3324 or email info@Swishdata.com.