A phishing campaign leveraged malicious emails to spoof video calling platform Skype in order to steal users’ account credentials.

Cofense observed that the campaign began with an attack email that appeared to originate from Skype. Specifically, the attackers crafted the sending email address to read as “67519-81987[@]skype.[REDACTED EMAIL].” But a closer look revealed that the attack email had actually originated from a compromised email address.

The email itself masqueraded as an alert of 13 pending notifications awaiting the recipient. Cofense said that this technique was a clever move on the attackers’ part. As it explained in its research:

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

A view of the email body with the embedded button’s link location revealed. (Source: Cofense)

As shown in the image above, the “Review” button didn’t actually lead users to a review of their pending Skype notifications. Instead, it used an app link to redirect them to a phishing page located at hxxps://skype-online0345[.]web[.]app.

The decision to use .app for the page’s top-level domain gave the attack an even greater sense of legitimacy, as .app domains require the use of HTTPS to establish a connection. To further increase their attack’s credibility, the phishing site displayed the company logo of the target within the login box along with a warning that the page was open to the company’s employees only.

A view of the phishing page. (Source: Cofense)

All of those tactics had one purpose: lull the user into a false sense of security so that (Read more...)