A phishing campaign is targeting AT&T employees and contractors with a well-crafted fake login page, according to Luke Leal at Sucuri. The phishing page is a near-exact replica of AT&T Global’s real employee login portal, and it even offers a dropdown menu for the user to choose one of five different modes of authentication. The first option is a traditional password, while the other four are one-time password (OTP) solutions AT&T uses for added security. These include SecurID (used by the company’s employees), SAFENet (used by certain AT&T business customers), and MTIPS (usually used by the US government).
If a user enters their username and password on the phishing page, their credentials will be sent to the attackers via a Telegram bot API, and the attacker will presumably quickly log in to the account using the one-time password. (It’s not clear if any employees have actually fallen for this attack.)
Leal explains that employee accounts at AT&T and other telecom companies are particularly high-value targets. Depending on the level of access an employee has, the attacker could potentially use the compromised account to assist in launching more devastating attacks against other organizations.
“Employees at companies of all sizes can be targets of phishing attacks, but certain corporations or industries can be more valuable to an attacker than others,” Leal writes. “For instance, employees at telecom companies will often have some level of elevated access that is unavailable to a non-employee. In fact, this access can be so valuable that attackers often find it easier and more efficient to simply bribe employees with large amounts of money, as revealed in a case last year.”
Multifactor authentication is a vital layer of defense for all organizations, but it isn’t foolproof. New-school security awareness training can teach your employees how to avoid falling for these types of attacks.
Sucuri has the story.
Here's how it works:
