In the middle of the Christmas shopping season, phishing is back, and cybercriminals are once again taking advantage of people’s desire to find offers, jobs and bonuses before the end of the year. Proofpoint has observed in recent days an increase in credential phishing, fraud and malware campaigns with the most opportunistic themes.

“Consistent with previous holiday seasons, cybercriminals launch their holiday and year-end-themed threats to meet people where they are, browsing digitally for gifts or deals on different websites. Many people also expect to receive holiday bonuses or work-related announcements for their financial benefit, an issue that attackers will also take advantage of. The holidays are a good time to social engineer opportunities that seem like they can’t be missed and convince people to make risky decisions online.”explain the Proofpoint researchers.

Credential phishing

These are the most common lures:

  • Fraudulent holiday flight offers: Proofpoint researchers have detected a malicious campaign claiming promotions for travel this winter with an alleged airline whose messages in Spanish and English contained compressed executables that led to the installation of Remcos RAT
  • Credential phishing through alleged payrolls and bonuses– Most of the Christmas-themed lures observed by Proofpoint are user credential harvesting campaigns. In one, cybercriminals posed as human resources or payroll departments, customizing their communications with the target organization’s logo or a Microsoft logo. These messages contained Open Office XML files and a QR code. If scanned, the QR URL directed users to a spoofed authentication page. Used attachments add data to the beginning of the file that is not allowed, but which Microsoft Office can automatically correct by deleting it; an abusive practice to try to bypass sandbox detection
  • Scams with fake temporary jobs: Proofpoint has identified an employment fraud campaign posing as the nonprofit organization Project HOPE and attempting to recruit workers. In many emails, cybercriminals emphasized the idea that this would be extra income for these Christmas holidays. The emails came from senders likely compromised in hopes of stealing money through advance fee or cryptocurrency fraud, attempting to obtain personally identifiable information, or recruiting an individual to unknowingly carry out illegal activities such as money laundering.