A new phishing campaign is forcing victims into entering their credentials by claiming their account will be deactivated and it employs a countdown timer to build the pressure.
The malicious campaign begins with a text which claims to warn the recipient that an attempt to log in to their account from a location they haven't used before has been blocked and is offered a solution in the form of email verification, cybersecurity researchers at Cofense explained in a blog post.
Ransomware attackers frequently employ fear tactics because sending victims into a state of panic means they're more likely to follow instructions, particularly if they've been told something is wrong with their accounts.
What sets this phish apart from other campaigns is the countdown clock displayed to the recipient once the malicious link is accessed. The timer ticks down for an hour, claiming the user must enter their username and password to 'validate' their account before the countdown clock hits zero.
The real scenario is completely different because nothing will be deleted even if the countdown timer reaches zero. The phishing campaign can only be successful if the targeted user falls into a trap and enters login credentials.
Phishing attacks are one of the most common techniques hackers employ to steal usernames and passwords. Earlier this year in May, researchers at Zscaler's ThreatLabz identified a phishing campaign employing fake voicemails to exfiltrate data of US organizations across various industries, including software security, security solution providers, the military, healthcare, and pharmaceuticals.
Tips to mitigate phishing attacks
1. Employ MFA
Using multi-factor authentication (MFA) can help protect accounts because even if the attacker knows the correct login credentials, the need for extra verification prevents them from being able to access the account, as well as providing a warning that something could be wrong.
2. Get free anti-phishing add-ons
Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about known phishing sites. They are usually completely free so there’s no reason not to have them installed on every device in your organization.
3. Don’t enter your credentials on an unsecured site
If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.