Hackers Using Secure Email to Trick Users into Handing Over Credentials

Hackers are using a brand new spoofing email to lure victims into handing over credentials and other personal information. The trick uses a secure email coming from a Baptist church domain.

What is Happening?

According to Armorblox threat researchers, the email has gone out to more than 75k inboxes on platforms like Office 365 accounts, Google Workspace, Exchange, Cisco ESA, and others.

The threat assessors found that the email impersonates a Zix encrypted email but comes from a Baptist religious service and the domain “thefullgospelbaptist[.]com.”

The domain, according to Threatpost,

“might be a deprecated or old version of a legitimate Baptist domain, fullgospelbaptist[.]org, which is a religious organization established in 1994.”

On Tuesday, Armorblox reported that the encrypted Zix email has gone out to over 75,000 recipients and is successfully evading detection. The company mentioned that this particular attack is targeting a variety of different types of companies such as government, education, financial services, healthcare, energy, and others. Typically, senior executives, as well as departmental employees, are the victims.

To legitimize the cyber attack, the subject of the email is “Secure Zix message.” The message includes a message button, and victims are asked to click the button to view their secure message, but if they do, the link “attempts to install an HTML file named ‘secure message' on the victim’s system. Attempting to open the file in a VM wasn’t possible because the redirect to download the file didn’t appear within the VM. At the time of writing, opening up this HTML message after download leads to a ‘block’ page driven by most site-blockers.”

One interesting note is that each targeted company received a few different emails within different departments, expanding the target base per victim.

Armorblox explains,

“For example, for one of our SLED customers, people targeted by this attack included the CFO, a Director of Operations, a Director of Marketing, and a Professor. For another customer, a wellness company, the target employees included the SVP of Finance and Operations, the President, and a utility email alias (member.services@company[.]com).”

However, multiple people within each department were not targeted.

How Does It Work?

his particular scheme works due to hackers employing a bunch of different tactics combined to execute an effective phishing campaign. Although it is not yet known how many people have clicked the link and been affected.

First, the email uses social engineering to get users to trust it. It looks like the email comes from Zix, a trusted company. It also contains a sense of urgency so that recipients will click the link without first verifying the sender or the domain where it came from.

Armorblox also mentions that,

“The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.”

Secondly, the hackers use brand impersonation by creating an email that could visually pass for one produced using a Zix template.

The hackers use a legitimate domain (although unrelated to anything in the email) from a Baptist religion. Using a legitimate domain helps to defy detection in spam blockers.

Finally, the bad actors employ the use of existing workflows. “The context for the email attack replicates workflows that already exist in our daily work lives (getting encrypted email notifications). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow-through.”

This is just another example of cybercriminals evolving to find new ways to dupe victims into fraud.