Attackers Abuse Eventbrite to Send Phishing Emails



phishing websiteAttackers are abusing Eventbrite’s scheduling platform to send phishing emails, according to researchers at Perception Point. These attacks increased by 900% between July and October 2024.

“Perception Point researchers observed phishing emails delivered via ‘noreply@events.eventbrite[.]com,’” the researchers write.

“Despite being presented as legitimate events created on the Eventbrite platform, attackers use these messages to impersonate known brands like NLB, DHL, EnergyAustralia, and Qatar Post.

Each email urges the recipient to take action: reset your PIN code; verify your delivery address; pay for an outstanding bill; pay for a package. These time-bound requests employ a social engineering tactic threat actors use to prompt the target to act fast.”

The attackers set up events in Eventbrite, and then send invitations with embedded phishing links. The emails are more likely to bypass security filters since they’re sent from a legitimate service.

“Once the target clicks on the phishing link, they are redirected to a phishing page,” Perception Point says. “We found examples spoofing Qantas airline, Brobizz toll collection, web hosting platform One(.)com, European financial institution NLB, and many more. Designed to look like legitimate websites, targets are asked for personal information, like their login credentials, tax identification numbers, phone numbers, credit card details, and more.”

The attacker can fully customize the appearance of the email to make it look like a convincing notification from the spoofed brand.

“Once the attacker creates an event, they can then create emails from within the Eventbrite platform to be sent to attendees,” the researchers write. “These emails can include text, images, and links, all of which are prime opportunities for attackers to smatter in malicious content. “The attacker then enters their list of targets (or ‘attendees’) and sends them the invite email. Once sent, the target receives an email from ‘noreply@events.eventbrite[.]com,’ containing all of the malicious details the attacker included.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Perception Point has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews