An ongoing phishing marketing campaign is impersonating Michael Web page consultants to push Ursnif data-stealing malware able to harvesting credentials and delicate knowledge from contaminated computer systems.
Michael Web page is a world-leading employment company targeted on recruiting on the certified skilled and administration degree for everlasting, momentary, contract, or interim positions.
The company is a part of the British-based PageGroup recruitment enterprise with operations within the Americas, UK, Continental Europe, Asia-Pacific, and Africa.
Attackers spoofing Michael Web page UK
“We’re persevering with to expertise a worldwide phishing marketing campaign the place our staff are being impersonated,” Michael Web page UK said.
“We’re assured that no PageGroup system has been compromised,” the guardian firm added, confirming that the attackers have not breached the recruitment consultancy’s servers and are solely spoofing staff within the phishing emails despatched to random targets.
“These phishing emails are being generated from publicly out there data not linked to our enterprise and are being then despatched on to random e mail recipients,” PageGroup revealed.
PageGroup urges those that have acquired one in every of these phishing emails or any e mail coming from Michael Web page that appears suspicious “to not reply or click on” on any of the embedded hyperlinks.
By no means depend on an e mail signature or title to test the validity of an e mail, and please by no means click on on a hyperlink till you’re glad that it’s from a sender you realize. (3/3)
— Michael Web page UK (@MichaelPageUK) April 22, 2021
Victims baited with government positions
In phishing emails despatched as a part of this marketing campaign seen by BleepingComputer, attackers posing as Michael Web page UK headhunters are luring targets with government positions.
These emails use embedded hyperlinks to redirect potential victims to phishing touchdown pages that includes GeoIP and antibot checks, based on a safety researcher often known as TheAnalyst.
The victims are then requested to obtain archives containing malicious macro-enabled Microsoft Excel spreadsheets (XSLM) used to contaminate them with Ursnif malware payloads.
Ursnif (also referred to as Gozi v2.0, Gozi ISFB, ISFB, and Pandemyia) is an information-stealing trojan and an offspring of the unique Gozi banking trojan (Gozi CRM) whose supply code accidentally leaked online in 2010.
Since then, malware builders have used the code to construct different banking trojan strains, reminiscent of GozNym.
As soon as it infects a pc, Ursnif begins recording the victims’ keystrokes, the websites they go to, harvests clipboard content material, and collects all this information into log recordsdata and despatched again to its operators’ servers.
Utilizing this stolen information, the attackers can steal their victims’ login credentials and different delicate knowledge to additional compromise their accounts or networks.