Phishing campaign pushes malware by impersonating as Global recruitment firm

An ongoing phishing campaign is pushing Ursnif data stealing malware by posing as Michael Page consultant. This malware capable of harvesting credentials and sensitive data from the target system.

Michael Page is a renowned and leading employment agency which focus on recruiting professionals for permanent, contract, temporary or interim positions.

“We are continuing to experience a global phishing campaign where our employees are being impersonated,” Michael Page UK said.

“We are confident that no PageGroup system has been compromised,”, the parent company added. They mentioned that the attackers have not hampered the recruitment company’s server but they are spamming the mail of the customers by sending the malware to random targets. 

“These phishing emails are being generated from publicly available information not linked to our business and are being then sent on to random email recipients,” PageGroup revealed.

PageGroup requests the users not to respond or click on any embedded link if anyone receives any suspicious email from Michael Page.

The Victims get baited by Executive Positions-

The attackers are luring the targets by posing as Michael Page headhunter and offering them the executive positions. These emails contain embedded links that land to pages which features GeoIP and anti-bot checks. The victims are then directed to download file that contain malicious Excel sheet featuring DocuSign branding. The victim is asked to enable editing to decrypt and open the document. 

Once the job is done, a fake decoy document showing information of a fake position is opened and the Ursnif malware payload is downloaded at the background and installed in the computer. Ursnif is an information stealing malware. Once this malware gets installed in the computer, it collects all the data like the sites the victims visit, the clipboard content. These information are collected in log files and transmitted back to its operator. The operator may steal the log in credentials and other sensitive data to compromise the system even further.

Leave a Reply