A phishing campaign has been identified that abused a legitimate access token of a third-party contractor to send phishing emails from legitimate Kaspersky.com email accounts.
The campaign was conducted using the Amazon Simple Email Service (SES) email service, which allows developers to send emails from any app, including apps used for mass email communications.
Kaspersky’s Amazon SES token was provided to a third-party contractor in order to test the 2050.earth website, a Kaspersky website that provides insights from futurologists and scientists about what is expected to happen by 2050.
Kaspersky identified large numbers of phishing emails that attempted to trick recipients into disclosing their Office 365 credentials. The messages were sent from Kaspersky.com email addresses and used fake fax notifications as the lure. The messages included a hyperlink to a website that required Office 365 credentials to be provided to view the fax.
The emails were sent from a variety of Kaspersy.com email addresses such as noreply[@]sm.kaspersky.com; however, rather than spoofing Kaspersky, the messages included the Microsoft logo and directed individuals to a Microsoft branded website. The website hosted a phishing kit called Iamtheboss, which had been combined with a second phishing kit called MIRCBOOT, MIRCBOOT is associated with the phishing-as-a-service operation called BulletProofLink.
Phishing kits are popular as they provide individuals with all the files, tools, and templates they need to conduct phishing campaigns. The MIRCBOOT phishing kit includes email templates and hosting services to run phishing campaigns and helps users of the kits purchase domains and set up websites for phishing campaigns. The phishing kits are available to use for a one-time fee.
When Kaspersky identified the phishing campaign, the SES token was immediately revoked. Kaspersky said in a security advisory that only the Amazon SES token was abused. There was no malicious activity linked to the 2050.earth website.