Sophisticated Phishing Campaign Targets HubSpot Users
A sophisticated phishing campaign is actively targeting HubSpot users, employing a combination of social engineering and infrastructure compromise to steal credentials from marketing professionals and business teams.
Phishing Tactics and Email Delivery
The attackers initiate the campaign by sending meticulously crafted phishing emails that appear to originate from legitimate business accounts. These emails prompt recipients to log into their HubSpot accounts to address an alleged surge in unsubscribes, creating a sense of urgency. To enhance credibility and bypass email security filters, the attackers utilize MailChimp, a reputable email marketing platform, for distribution. This method ensures the phishing emails are more likely to reach the intended targets without being flagged.
Deceptive Techniques to Evade Detection
A notable aspect of this campaign is the embedding of malicious URLs within the sender’s display name, rather than the email body. This tactic effectively circumvents many email security controls that typically scan the content of the message but may overlook anomalies in the sender field. When recipients click on the embedded URL, they are redirected from a compromised legitimate website to a counterfeit HubSpot login page. This fake portal is hosted on infrastructure associated with Proton66 OOO, a Russian bulletproof hosting provider linked to ASN AS 198953. Upon entering their credentials, users inadvertently transmit their login information to the attackers via a login.php file.
Infrastructure and Technical Analysis
The phishing infrastructure is managed through a Plesk-controlled virtual private server with exposed mail services, including Postfix and Dovecot. The server’s IP address, 193.143.1.220, reveals a wide array of open ports, such as SMTP services on ports 25 and 465, IMAP on ports 143 and 993, and multiple Plesk administrative interfaces. This configuration suggests a setup optimized for rapid deployment and rotation of phishing campaigns. Further analysis indicates that this IP address is associated with multiple other phishing attempts, pointing to a pattern of organized malicious activity. The exposed Plesk control panels enable attackers to swiftly deploy new phishing pages, manage compromised email accounts, and rotate infrastructure to evade detection.
Recommendations for Organizations
To mitigate the risks posed by such sophisticated phishing campaigns, organizations should implement comprehensive security measures that extend beyond standard email authentication protocols. This includes educating employees about the dangers of phishing attacks, encouraging vigilance when handling unsolicited emails, and promoting the verification of URLs before clicking. Additionally, organizations should consider deploying advanced email filtering solutions capable of analyzing various components of an email, including the sender’s display name, to detect and block malicious messages effectively.
