Beware: Fake Spam Filter Alerts Invading Inboxes
▼ Summary
– A new phishing campaign sends fake emails claiming important messages were blocked due to a “Secure Message system” upgrade or placed in “spam quarantine.”
– The emails trick users into clicking links that lead to fake login pages impersonating webmail sites, often pre-filled with the recipient’s email address.
– Attackers use tactics like displaying fake error messages to prompt users to re-enter passwords and collect credentials via HTTP POST requests or websockets.
– Some phishing pages use obfuscated code and Telegram Bot API endpoints to instantly exfiltrate credentials and potentially harvest two-factor authentication codes.
– Users are advised to avoid clicking unsolicited email links, verify login page URLs, and contact IT support through known channels if unsure about an email’s legitimacy.
A fresh wave of phishing emails is making the rounds, designed to trick recipients into thinking their spam filters have blocked legitimate messages. These deceptive alerts pose a serious threat to personal and organizational security by mimicking official communications. Security experts are urging users to exercise extreme caution with any email that claims an upgrade has caused messages to be held.
The fraudulent emails appear to originate from the recipient’s own email domain. They falsely state that due to a “Secure Message system” enhancement, important emails have been intercepted. To supposedly “release” these messages for viewing, users are directed to click a “Move To Inbox” button. This action redirects them to a counterfeit webmail login portal crafted to look authentic.
Another version of this scam informs users that their messages have been placed in “spam quarantine.” It then prompts them to log in through a provided link to “view the most updated spam folder or blacklist sender.” These emails are skillfully spoofed to enhance their credibility.
According to researchers, the phishing pages are deliberately designed to appear trustworthy, often displaying familiar logos to lower the target’s guard. To further the illusion, the fake login page may already display the recipient’s email address. After the user enters their password, the information is immediately sent to a malicious server via an HTTP POST request. A bogus “The login is invalid” error message then appears briefly before the password field clears, a known psychological trick to persuade users to re-enter their credentials, in case of a typo.
This process typically repeats a second time. On the third attempt, the user is either redirected to their actual email domain or to a Google Search page, leaving them unaware their credentials have been stolen.
In some cases, a JavaScript file embedded in the fake login page captures the victim’s login details. It then creates a data exfiltration URL, often a Telegram Bot API endpoint, to transmit the stolen information directly to the attacker’s Telegram bot.
Other cybersecurity firms have observed similar campaigns. One variant uses heavily obfuscated code on the phishing site, harvesting credentials through a websocket connection. Cybercriminals favor this technique because it allows them to receive login details in real time as they are typed. Attackers can even use this method to prompt for additional information, such as two-factor authentication codes.
Given that some of these fraudulent messages may bypass standard email security filters, user vigilance is the best defense. The universal recommendation is to avoid clicking links in unsolicited emails, particularly those conveying a sense of urgency. Always scrutinize the URL of any login page before entering your username and password.
If you receive a suspicious email, do not interact with it. Instead, confirm its legitimacy by contacting your IT support team or service provider through a known, trusted channel. Staying informed about the latest cybersecurity threats can also help you recognize and avoid these sophisticated scams.
(Source: HelpNet Security)
