There is a new type of scam on the rise.
Nowadays it seems like nothing is safe from phishing attacks, not even your voicemail. Researchers at Zscaler sent out a warning that there is a new voicemail-themed scam that sends out an automatically generated email notification alerting users that they have received a new voicemail from a caller and prompting them to log in to listen to it.
This message includes an HTML attachment that the user has to click and enter their credentials to access the portal. However, Zscaler pointed out that one of these campaigns uses Google’s reCAPTCHA, this prevents web crawlers to gain access to it and it marks it as malicious.
On the other hand, another campaign that spoofed Cisco’s Security Unity Connection voicemail portal is that the domain used to send out this email was “secure[.] ciscovoicemail[.]cf. Wherever the user clicked to listen to the voicemail, they were redirected to a page where they had to select their email providers such as Office365, Outlook, Gmail, Yahoo, and “Others”. Selecting any of these providers will take them to a very convincing fake login page where they could continue with the scam, selecting “others” will take them to a generic page.
To avoid being a victim of these and any other cyber scams you have to make sure you are following best practices to protect yourself and your organization. “This threat actor leverages well-crafted social engineering techniques and combines them with evasion tactics designed to bypass automated URL analysis solutions to achieve better success in reaching users and stealing their credentials” the researches commented.
As an added layer of protection, you should always double-check the URL in the address bar before entering any credentials. Sometimes something as small as a dot (.) out of place could signify a phishing scam. It is also worth mentioning that this kind of scams has been around for a long time, however, we have seen an increase in them during the past year or so. Make sure to always keep yourself informed and aware of new threats surfacing. If you have any further questions or want to learn more about how to train your employees and yourself on the fundamentals of social engineering and common cybersecurity practices do not hesitate to contact us at https://www.bayontechgroup.com/