For months now, a massive spear phishing campaign has been targeting employees of over 100 e-mail service providers, with the goal of compromising their computers and those of marketing companies that handle campaigns for the biggest and best-known brands out there.
The spear phishing e-mails were similar to this one:
A good choice, really, since “private” e-mails that contain the correct name of the recipient and sometimes even the right name of the company for which the recipient works are more likely to be opened and spelling errors ignored than in corporate ones.
These e-mails usually contained URLs that would supposedly take the victims to a page with photos or a greeting card, but would actually redirect them to sites where password-stealing (such as iStealer – currently with an extremely low detection rate on VirusTotal) and remote administration (like CyberGate) software would try to get installed silently on the victims’ computer.
Chris Nelson, a security manager with an unnamed e-mail service provider, shared with Brian Krebs the results the investigation he mounted after discovering that some of his company’s servers were compromised by the attackers.
In short, he found out that other ESPs were also compromised, that the goal of the attack was to gain access and control of e-mail address lists for big brands in order to use them for future spamming and scamming, and that this spear phishing campaign is likely to have been going on for months and months – judging by the unexpected delivery results detected with one of their smaller customers back in April.
It took them months to trace the compromise to a flaw in their internal software application which allowed images with malicious code to be uploaded and that code to allow the attackers access to the client database and the mailing lists contained inside.
And now that I think about it, could this have been part of the final result?