Skip to main content

Latest Phishing Attempt – Failed Delivery Messages Attack

The J2 Cyber Security Centre team and Technical team had numerous requests to review if there was an issue as to why they were receiving these. These types of emails are targeted at generic accounts such as info@, contact and in some instances to direct email accounts.

info@, contact and in some instances to direct email accounts.

In order to make sure that you do not become a victim we can provide further analysis of this attempt. The attack starts with an email stating that you have failed delivery messages waiting to retrieved.

We detected that these mails came from known senders that regularly communicated with the recipient so the recipient would normally look at these as trusted senders or would be added to company whitelisting. It also points to 3rd party compromise.

The email contains a link to retrieve these messages now, after clicking on the link it will ask you to input your mailbox credentials.

email contains J2 Software

*Sample of email body you would of received.

Sample of email body you would of received J2 Software

After analysing the site, we extracted a file on 1 of the sites and we came across a zip file which contained some of the workings around how this site functions to change the look and layout of the page by detecting who your email provider is.

Some of the more common South Africa email accounts like MWEB, Telkom and iAfrika are seen in the script to try persuade you that you are actually connecting to a legitimate website.

Index J2 Software Logo J2 Software

Some of the inner workings of the code we found on the site to how it detects what email provider you are using and applies the image logo of the provider.

Scripting J2software  Scripting J2software1

After attempting to login with your credentials, your credentials are then sent through in this instance to Gmail accounts without your knowledge.

Scripting J2software2

A Few Technical Recommendations

  1. Make sure your email security provider is using an extra layer of security for URL protection and URL rewriting links sent in mails, this ensures that links are also inspected.
  2. Ensure that your endpoints internet traffic is inspected through an inline web security solution with DNS protection when devices connect to the internet.
  3. Engage and educate your end user so that they do not accidentally expose themselves and your organisation.

Findings and further reading

  1. URL Protection - https://www.j2.co.za/j2-software-solutions/mimecast

Mimecast J2 Software

2.DNS Protection - https://www.webroot.com/za/en/business/dns-protection

Webroot J2 Software

If you have fallen victim to this, make sure you change all your login details also feel free to get in touch with us for more information and assistance. 

Would your security provider have detected and stopped this? 

Jarred Reid-Robertson

Martin Erasmus

  • Hits: 2933