• Mimecast uncovers phishing campaign targeting the UK Home Office
  • Accounts are being stolen through phishing emails and fake websites
  • The fake sites are almost indistinguishable

A phishing campaign has been uncovered by Mimecast researchers targeting the Home Office Sponsorship Management System (SMS).

The main aim of the campaign appear to be to compromise access to accounts, which can then be sold on the dark web, extorting organizations through the theft of sensitive data, and creating fraudulent Certificates of Sponsorship (CoS).

The campaign doesn’t just affect organizations with sponsor license privileges, but threatens to undermine the entire UK immigration system.

UK Home Office at risk

The attackers begin the campaign by sending emails that closely resemble legitimate emails distributed by the Home Office, using the same branding and stylization. The emails include an urgent call to action that threatens account suspension if the user doesn’t log in.

The victims are guided to a fake login page via a captcha-gated URL that looks very similar to the legitimate URL used by the Home Office. After completing the captcha, the user lands on a cloned Home Office login page.

The only differences between the legitimate and illegitimate pages are in the form submission. The fake page directs credentials to an attacker-controlled script, where the exposed credentials can be used to log in to the victims account.

With the stolen accounts, the attackers can then create fake job offers and visa sponsorship schemes, and charge victims tens of thousands of pounds to access them.

The best protection against phishing campaigns such as this one is constant vigilance. Always double check URLs and be cautious of urgent calls to action.

A full list of the indicators from this phishing campaign can be found on the Mimecast blog.

You might also like