Attackers Are Using Skype Notifications to Steal Microsoft Office Credentials
Attackers are sending phishing emails disguised as fake Skype notifications to steal Microsoft credentials. The notification appears to be an automated email and attempts to trick the recipient into entering their login information on a spoof web page. The design of the phishing email and credential stealing site impersonates Microsoft’s Skype. The messaging mentions the victim’s employer and claims to be from their finance department.
The body of the Skype phishing email contains a cloaked link that claims to be a link to an invoice for Skype service. If the reader clicks on the link, they are redirected to a fraudulent Microsoft login page. The scam login page contains both Microsoft and Skype branding to make it appear authentic, says a report by cyber security researchers at Abnormal Security.
The attacker is also using a link tracking service. This enables them to track which recipients clicked on the link. The threat actor can also change the destination of the cloaked link. The credential phishing page is hosted on “web.app” rather than Microsoft.com
Why this cyberattack is dangerous
This cyberattack is especially dangerous because of increased use a video conferencing calls and an unusually high work-from-home workforce. Students, employees, and family are increasingly using messaging apps and video conferencing software like Skype, Zoom, and Google Hangouts to complete their daily tasks, attend classes, and stay in touch with family and friends. This gives hackers opportunities to steal login credentials or hack into live video sessions by stealing links to scheduled calls.
In this cyber attack, the threat actors are attempting to steal Microsoft Office login credentials. Even though it seems like a compromised email password is not critical, it gives the attacker leverage to further compromise an employer or even steal money. If the threat actor can hack into an email account, they can use it to send more phishing emails to other employees in the organization or anyone else on the contact list.
Why Reusing Passwords is Never a Good Idea
People commonly reuse the same password across multiple online accounts. When a threat actor gains access to one online account, like an email, they can scan MS Outlook and find all the other online accounts that are attached to it. The hacker can try and use your email password to log into any other account that’s connected to this email. If that doesn’t work, then they can send password reset requests and have them sent to your compromised email address. For example, if you use your work email login to a bank account then the hacker may attempt to get into the bank account using your stolen Microsoft Office password.
To defend against phishing emails and credential-stealing attacks always use a unique password for every online account.
- If you cannot remember a strong and unique password for every online account, then use a password vault to help create them and store them.
- Use an anti-malware program to protect your computer and phone and to help detect phishing emails.
- Always scrutinize every email even if you feel that you know the sender.
- Never download an email attachment that you were not expecting. Call the sender and ask them if they sent something.
- Do not click on links in emails to manage financial accounts or invoices. Always go directly to the financial institution website and log in directly.
- When in doubt call
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers