A business-targeted phishing campaign uses the official website of a company, trying to trick potential victims into entering their fake credentials.
The attack starts with an email that's supposed to come from the company's technical support team informing the user that some emails have been blocked from incoming.
To make it feel like something urgent, the message from the attacker states that the emails have planned to be deleted and that in order for something like this not to happen o recipient must open them and retrieve them.
A link to the body text of the email takes the potential victim to the phishing page, where the company homepage loads automatically. However, the attackers added a fake login box so that the users to place the access details. So we have a seemingly legit page with a malicious login box. This way even users who suspect it may be attack, can click on links or mouse-over, see that they are not fake and proceed to enter their details.
Cofense's Dylan Main states in a blog post that the links to this phishing campaign come from the same domain ("traximgarage [.] Com") but have specific parameters to load the webpage corresponding to the target company.
In the fake login box in the field where the user enters the "username" the recipient's email is also displayed. This confuses the user even more.
Although this method may not be very successful in smaller companies, it may prove effective in larger companies. Companies where employees are more likely to rely on corporate systems protection and be less careful when entering their credentials.