Heimdal™ Security’s Incident Investigation and Response Department have recently unearthed a new type of phishing campaign that randomly targets TDC customers. The forensic analysis performed on malicious samples retrieved from an anonymous client revealed that the perpetrator(s) lured in TDC clients, by offering various, high-value prizes. Coined the TDC Phishing Campaign, it has, so far, been successful at avoiding detection nets, by disguising itself in a seemingly legitimate Google Ad.
Overview
The investigation (on-going) has identified that the perpetrator is using a ‘rogue’ domain to send illegitimate ‘sponsored’ ads to TDC customers. No discernable pattern has been identified so far.
However, based on the available information, we have inferred that the malicious actor(s), could have gained access, through fraudulent means, to a TDC database, and begun sending fake ads to clients that have signed up with the Danish ISP in a one-year timeframe.
In regards to the dissemination vector, Heimdal™ Security has discovered that the fraudulent ads originate from a Hong Kong-registered domain (in accordance with intel retrieved from Whois):
Domain sanitized by Heimdal™ Security
The malignant, Hong Kong-based domain, which is registered under a fictitious company, appears to have been created three days prior to the discovery of the first fraudulent pushed ad. From the intelligence we have gathered, there’s no evidence to suggest financial losses for TDC customers.
In analyzing the TDC Phishing Campaign, we have discovered that the potential victims were lured in with fake prizes consisting of high-end electronics: iPhone XS, Apple Watch or iPhone 11 Pro.
Allegedly, these prizes were offered either on fidelity-basis or as part of a fake TDC anniversa ..
Support the originator by clicking the read the rest link below.
