We have identified what appears to be a widespread campaign targeting several of our clients. In this campaign, the attacker utilizes a call back request to trick the user into clicking on a phishing link.
As shown in the sample above, the user first receives an email stating he has received a message from a wireless caller. The attacker adds the user’s email address into the body text* in order to make it seem more authentic. Once the user clicks on the link, he is sent to a phishing site impersonating Microsoft.
*(blacked out in the image to preserve privacy)
As you can see the attacker takes the user’s email address and inserts it into the phishing site account name in order to make sure the user believes the site is legitimate. But if you look closely you can see the URL of the site is fake and doesn’t belong to Microsoft.
This incident was caught by our system using a correlation between our advanced image recognition and our domain reputation engine. Our image recognition engine scans the site in order to see if it resembles a known impersonated site. After the site is proven to resemble a familiar site or domain the site is scanned by our reputation engine in order to see if it is a legit site and if there is a malicious background to the domain or URL.
With Perception Point, the email was blocked before reaching the end-user, taking human error out of the equation.