New Credential Theft Campaign Uses Legitimate SuperMailer for Bulk Phishing
The malicious operation would never have been detected if not for the fatal error of the attackers.
Reportedly company specialists Coffeerecently cybercriminals actively use the program Supermailer to send phishing emails that are not blocked SEG– protection. This May alone, SuperMailer was used to send 5% of all phishing emails asking for credentials, according to researchers. Given the variety of various programs and email clients, this is a lot. Moreover, the volume of the campaign is growing exponentially.
“By combining SuperMailer’s customization and dispatch capabilities with security bypass techniques, attackers deliver fake but highly plausible emails to mailboxes across industries,” explained Brad Haas, Cyber Threat Analyst at Cofense.
SuperMailer is a German email creation and sending program that allows you to create emails in the format HTML or text using recipient variable data. It supports work with several mail systems, which allows you to distribute sending letters to different services and reduce the risk of blocking them.
In addition, SuperMailer is quite vulnerable to this type of attack, such as Open Redirectwhere legitimate web pages can automatically redirect the user to any URL-address specified in the parameter. This allows attackers to use perfectly legitimate URLs as primary phishing links.
“If a mail gateway does not follow a redirect, it only checks the content or reputation of a legitimate site. While Open Redirect is generally considered a vulnerability, it can often be found even on well-known sites. For example, the campaigns we analyzed used an open redirect to YouTube,” Haas said.
Cofense was able to track SuperMailer activity thanks to a coding error that the attackers made when creating email templates: all emails contained a unique string indicating that they were created using SuperMailer. However, blocking messages on this line or completely prohibiting legitimate mailing services is not the right solution.
“We have no longer found any unique characteristics that would allow us to massively block emails created by attackers using SuperMailer. In the reviewed campaign, the letters were only identified due to the mistake of the perpetrators,” Haas said.
However, there are other characteristics that may indicate potential security threats, even without knowing their origin. For example, their content. An example would be adding email reply threads to messages without considering the target audience.
“Human intuition is often much better at recognizing these differences. Therefore, training employees to be vigilant against phishing threats is an important element of good cyber defense,” concluded Haas.