Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Attackers Target US Payroll Protection Loans

With small businesses awaiting information about their Payroll Protection loans (SBA), scammers are now targeting small businesses with new phishing emails. The new campaign, discovered by Abnormal Security, is sending out emails claiming to be from a CARES act representative who needs a signature on a “PPP_CARES_SignaturePG1-2” document. Included in the email is a link titled “Review File & Sign” that if clicked on, will send them to a landing page that asks them to sign in with their Microsoft account. This landing page is a fake copy of the Office 365 login page designed to steal login credentials for attackers to use in BEC scams, potential network compromise, or additional phishing scams. 

Analyst Notes

Scams such as these are, unfortunately, a part of everyday business with the current global situation. There are some simple things that can be done to reduce the chances of getting scammed. Always check the sender’s email address. In this particular case, the sender’s domain is manynations[.]com. The fake login page is hosted at hotelmerina[.]com. If the domain is not known or trusted, then the recipient should verify the address before clicking any link or downloading any files. If a malicious domain is found, IT security staff should search for any similar messages sent to other employees, and investigate web proxy logs to determine if any other employee visited the fake login page. Implementing Multi-Factor Authentication (MFA) for Office 365 accounts is an excellent way to protect employee accounts from compromise even if their password is stolen. If the password for Office 365 is the same as the password used to remotely log in to the corporate network through remote desktop or a VPN, attackers may also try to use stolen login credentials to access workstations or servers. Services such as the Binary Defense Security Operations Center can also provide 24-hour a day monitoring service that will detect and defend a company’s endpoints before an attacker has a chance to do any damage.

To read more: