Researchers fr om the security firm Abnormal Security have warned about a phishing campaign impersonating the Wells Fargo Security Team that uses calendar invites to lure potential victims to phishing pages.
The phishing messages spotted by Abnormal Security claim to contain a new security key to protect customer’s account. The email urges the user to open the attachment and follow the instructions, or risk having their account suspended.
“Additionally, the message instructs users to open the attached file using their mobile device. Here, the attacker is attempting to exploit a setting where the event will automatically be added to a user’s calendar. Most of these programs will send an automatic notification to the user and attackers hope that potential victims will click on the event and follow the malicious link. As a result, these attacks are more likely to be seen by recipients,” the researchers said.
The malicious attachment in the message is an .ics file used by calendar applications to store scheduling information The file contains a link to a Sharepoint page which presents users with another link to secure their account. In reality, this link leads to a fake page for Wells Fargo wh ere users are prompted to enter their username, password, PIN, and account numbers. The gathered information is then sent directly to the attacker.
So far, the observed phishing campaign targeted more than 15,000 Wells Fargo customers, Abnormal Security revealed.
“Financial institutions are always common targets for attackers. Access to a user’s sensitive information would allow an attacker to commit identity theft as well as steal any money associated with the account. Many of these companies have stringent regulations and security in order to protect users and their financial holdings. However, attackers are continually finding ways to compromise users’ accounts,” the researchers warned.