Phishing Campaigns Galore

The surge in ClickFix campaigns also coincides with the discovery of various phishing campaigns that -

• Leverage a .gov domain to send phishing emails that masquerade as unpaid toll to take users to bogus pages that are designed to collect their personal and financial information
• Make use of long-lived domains (LLDs), a technique called strategic domain aging, to either host or use them to redirect users to custom CAPTCHA check pages, completing which they are led to spoofed Microsoft Teams pages to steal their Microsoft account credentials
• Distribute malicious Windows shortcut (LNK) files within ZIP archives to launch PowerShell code responsible for deploying Remcos RAT
• Employ lures which supposedly warn users that their mailbox is almost full and that they need to "clear storage" by clicking a button embedded in the message, performing which takes the user to a phishing page hosted on IPFS that steals users email credentials. Interestingly, the emails also include a RAR archive attachment that, once extracted and executed, drops the XWorm malware.
• Incorporate a URL that lets to a PDF document, which, in turn, contains another URL that drops a ZIP archive, which includes an executable responsible for launching an AutoIT-based Lumma Stealer
• Weaponize a legitimate front-end platform called Vercel to host bogus sites that propagate a malicious version of LogMeIn to gain full control over victims' machines
• Impersonate U.S. state Departments of Motor Vehicles (DMVs) to send SMS messages about unpaid toll violations and redirect recipients to deceptive sites that harvest personal information and credit card details
• Utilize SharePoint-themed emails to redirect users to credential harvesting pages hosted on "*.sharepoint[.]com" domains that siphon users' Microsoft account passwords.