New Phishing Campaign Employs ‘Supreme Court Settlement Agreement’ Tactics

  • Phishing actors are now using fake Calendar invites to trick recipients into clicking on URLs.
  • The theme is a supposed meeting for a settlement agreement on a Supreme Court-level case.
  • The links lead to phishing login sites that offer the victim the choice of the account they wish to give away.

Even though there aren’t many people who are hoping to receive a lucrative settlement agreement and have their legal case resolved, getting an email with a relevant subject is definitely interesting - if not of intimidating importance for some. As Cofense reports, this is precisely the trick employed by phishing actors lately, as the security company has noticed a surge of email subjects talking about a supposed agreement in a ‘Supreme Court’ case no less.

Source: Cofense

These emails come with malicious attachments that have the form of an ICS file (iCalendar), and their goal is to perform credentials phishing. Opening the attachment triggers a calendar invite containing a meeting notice that instructs the recipient to click on the link in order to get more details

Clicking on that link leads to a phishing page that prompts the user to log in to Outlook or Office365 or any email provider they may be using. The typical trick of blurring a supposed document in the background is seen here too, so consider this a huge red flag in general.

Source: Cofense
Source: Cofense

Another interesting aspect of this phishing campaign is that the URLs used in these phony meeting invites do not end with a “.com” but with “court,” like for example: “hxxp://0xc1a9fd67/Court” or “hxxp://0xc1a9fd67/Supremecourt”, which resolve to “hxxp://193[.]169[.]253[.]103/Court” and “hxxp://193[.]169[.]253[.]103/Supremecourt”. This works well both as a legitimacy booster and as a way to bypass checks from security endpoint detection tools.

Confense’s report has the full list of the indicators of compromise, including the IPs where the credentials are getting exfiltrated to, so make sure to check out the relevant information if you’re preparing a blacklist. Some of these URLs and IPs have been previously associated with the phishing-as-a-service platform known as ‘BulletProftLink,’ a Malaysian service that offers ready-made phishing pages and also hosting for only $100 per month. This service has been around since at least 2018, and it appears that it’s still rocking three years on.

REVIEW OVERVIEW

Latest

Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari