US confiscates used domains in major phishing attack

US authorities have confiscated domain names recently used in a large-scale attack against governments and NGOs. According to Microsoft , the attack was carried out by the same group responsible for last year's SolarWinds attack.

In the recent phishing attack, attackers were able to gain access to the Constant Contact account of USAID, the development agency of the US government. Constant Contact is a service used for email marketing. The attackers then sent phishing emails that appeared to be from USAID via the compromised account.

The emails contain a legitimate Constant Contact link which in turn points to a malicious ISO file. This ISO file contains both malware and a PDF document that serves as a distraction. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security said the recent campaign attacked more than 7,000 accounts of more than 350 government organizations and NGOs.

The US Department of Justice obtained a court order allowing it to confiscate two domain names used in the phishing attack. Infected computers were controlled via the domains and the malware used was offered.

Previous Post Next Post