Jigsaw Security is warning people about a new scheme that is resulting in infections at a higher than normal rate. If your like us and started seeing messages in your email made to look like voice message notifications earlier this week, you are not alone. The new 2 pronged attack has been observed and reported by several Jigsaw Security customers and appears to be an effective way to infect unsuspecting customers. Here's how this works from what our research has uncovered.
For the attack to be successful the attacker needs to have 2 pieces of information to be effective. First they need your phone number and then they need your email address. A third potentially useful piece of information would be your phone, VOIP or business phone provider which can be used to format the phishing message appropriately making it more believable.
Stage 1 - The phone call
The first part of this attack involves a call that reaches out to the person stating things such as "we see you have reached out for a job" and that the line "is being recorded". The threat actor attempts to get you to say the word yes by asking very direct questions such as "did you apply for a job?" or "can you hear me?" or in some cases they ask for you by name hoping you say yes. If you say the word yes they hang up and utilize parts of the recording to authorize other fraudulent transactions or to bill calls to your phone number (to scam other people).
Stage 2 - The Phishing Email
The next part of this scam arrives as a phishing email made to look like a legitimate voice message from several providers. This plays into the fact that the threat actor has already made a call but likely you didn't answer so the next logical step is that if it's a legitimate call they will leave a voice message, the first indication that something is not right is that you don't have any voice message on your actual phone.
Stage 3 - Infection and Theft of Information
The third stage is the infection from stage 2 which allows the threat actor to farther collect information about you to include passwords and sensitive banking information.
We believe that this activity is a result of illegitimate job posting on job boards. Once they have your name and phone number as well as your email, they can then target the people that have applied in which they think they may be successful. Some things to look out for if your applying for jobs is common misspellings of words in the job posting and sentence structure as indicators that the poster may not be a native English speaker although many recruiters these days are also foreign.
Just be mindful of the information you give to prospective employers. With just a little bit of research they can find out everything needed to commit fraud on those unsuspecting persons that are not really paying attention to what is going on.
On 14 November, 2018 we observed exactly this transpire and have had multiple reports of similar activity from customers. We ask all customers and those reading our bulletins to be aware of this activity and protect your information.