Attackers cancel the documents of Americans to steal their personal data

Security researchers at Armorblox suspended phishing campaign in an American identity theft campaign in which attackers told victims that their Social Security Numbers (SSNs) should be cancelled, convincing them to call fake customer service. The target of criminals were 160,000 students of an educational institution in the United States.

The cybercriminals urged victims to reveal their Social Security Numbers (SSN) – vital information for any US citizen – as well as other sensitive data. With tax season now in the US, attackers are looking to obtain personal data, which they then use in tax fraud.

The attack begins with a phishing email with the subject line “erroneous and suspicious activity.” Urgency-based influence techniques aim to lower the victim’s vigilance, encouraging them to act quickly and without hesitation.

As the sender of the letter, the hackers indicated the Social Security Administration (SSA), which is responsible for issuing SSNs. It is noteworthy that the attackers managed to bypass the built-in email protection.

In the letter, the hackers claim that the victim’s SSN has been blocked. Despite the fact that the US authorities have repeatedly said that the suspension of SSN is not possible, this message looks plausible and may cause panic in some victims.

The scammers then convince the victim to open a PDF that purports to contain an email from the SSA. This email reported that the victim violated “terms and conditions” by using a false name. In the last part of the attack, the alarmed victims called the specified “help desk” number, where the scammers could find out additional confidential information.

According to experts, the campaign was quite sophisticated – the attackers bypassed the built-in email protection, and users did not suspect anything. Even though the domain address in the phishing email was Gmail instead of SSA email, the attackers cleverly changed the sender’s name in such a way as to hide their ruse. The length of the sender name is intentional so that the actual domain is not visible from a mobile device.