'TurkeyBombing' Phishing Scam
The 'TurkeyBombing' phishing tactic is an e-mail-based attack that collects login credentials for Microsoft accounts. The tactic portrays the messages as being Zoom invitations while soliciting link clicks that lead to a fake login at a Google domain. Users should avoid logging into their accounts through unverified links, change passwords after compromises, and delete the 'TurkeyBombing' phishing tactic messages from their inboxes.
The Latest Bomb Dropping on Zoom
Criminal enterprises will shift with the changing geography of the Web and the habits of its users invariably. The Coronavirus epidemic is a noteworthy event for hackers, too, which use themes related to it as disguises for their phishing lures. Such is the case with the 'TurkeyBombing' phishing tactic, a linguistic play off of the Zoom 'bombing' phenomenon that disrupts video conferences.
The 'TurkeyBombing' phishing tactic, like many criminal campaigns, starts with an e-mail message pretending that it's something it's not: a conference invitation for the Zoom platform. Although malware experts can't yet determine whether there's any significant URL obfuscation in the enclosed link, clicking it leads the user to a fake Microsoft login page hosted at the legitimate Google domain Appspot.com. Ordinarily, this domain is a safe resource for Web application hosting.
Provided that the victim enters it, the threat actor collects the password associated with the Microsoft account. Due to the e-mail address already being filled in, the user only needs to supply a single piece of login information. Besides filching login info, malware experts also verify the attacker's interest in exfiltrating geo-locational data and IP addresses, which could help them determine which accounts are lucrative.
Currently, there are several thousands of affected users, as of the end of November 2020. The threat actor favors the IMAP protocol for converting stolen logins into hijacked accounts and, presumably, launching more attacks from that point.
Conference Invitation Refusals Worth the Trouble
Although the 'TurkeyBombing' phishing tactic's first samples came in timed for Thanksgiving and the associated uptick in Zoom conferencing activity, neither the e-mail nor the fake Microsoft login page includes details specific to that holiday or date. It's possible that the threat actor will continue deploying this tactic against random e-mail accounts for an arbitrary amount of time, or until the holiday season and 2020 conclude.
Windows users should remember that e-mail is an extremely prolific infection vector for many threats, including backdoor Trojans, file-locker Trojans, spyware, and bait-and-switch cons like the 'TurkeyBombing' phishing tactic. Those in doubt of a link's authenticity should navigate to the appropriate domain by manually typing it into their browser's address bar. Although Appspot.com isn't inherently threatening, many threat actors prefer using normally-safe, cloud services, and other hosts for their lures, attacks, and C&C servers.
Users who've exposed their credentials should change passwords as soon as possible and check their accounts for any signs of unauthorized activity. Although the 'TurkeyBombing' phishing tactic doesn't leverage Trojans or other software threats, the right cyber-security product will auto-block corrupted websites and Web content.
Over three thousand cases of credentials are in the hands of an unidentified group of attackers, all thanks to the 'TurkeyBombing' phishing tactic. However, it never could have made a turkey out of any Windows user without a little help along the way – like the victim willingly providing the password.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.