When Best Practice Isn't Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users (Dec 19, 2018)
Amnesty International has observed several phishing campaigns that are targeting users in the Middle East and Northern Africa. Two recent phishing sites were discovered that pretended to be the secure email service providers, Tutanota and ProtonMail, and attempted to deceive users into entering in their email credentials. The threat actors purchased the domain "tutanota[.]org" and replicated the legitimate site, even obtaining "https://" security certificates to make it appear legitimate. If the user entered in their credentials to log in, those credentials were stored by the threat actors whilst also going through a valid login procedure with the original and legitimate Tutanota site. Similarly, the email service provider "ProtonMail" was also replicated, this time with the threat actors inputting an extra "e" into the domain name so it was "protonemail[.]ch." If a user entered their credentials into this fake site, the same process would occur as with the Tutanota phishing sites.
Recommendation: Educate your employees on the potential risk that typosquatting represents because often times the fake domains are very difficult to differentiate between the fake and legitimate site, as well as the typosquatted domain may read extremely similarly to the real one. Bookmarking frequently used domains or searching for the domain in a search engine instead of typing the domain out is a good mitigation step against typosquatting.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.