According to research for security firm Cofence, bad actors have crafted emails that look like legitimate Skype communications. In the emails, users are prompted to act on 13 pending Skype notifications by clicking the “Review” option. As Skype may send these kinds of notifications, unwitting users could fall foul of the attack. “It is not uncommon to receive emails about pending notifications for various services,” researchers wrote. “The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the ‘Review’ button without recognizing the obvious signs of a phishing attack.” More experienced users might be able to spot the various discrepancies that highlight the scam. Specifically, the sender address has been designed to look like a legitimate phone number from Skype. However, if you check the return-path (sent from), you can see an external non-Skype compromised account.
Clever Attack
With that in mind, the obvious advice is to either ignore any Skype email or review the send from field first. When unsuspecting users to select “Review”, they are sent to the following links: hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5 and the landing page hxxps://skype-online0345[.]web[.]app. Even the .app domain seems legitimate because it used by developers shape their apps and is supported in Google. “A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case,” added researchers. “The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.” It’s clear the attackers wanted to create a real-looking phishing email. For the most part, the logos and login box mimic closely Microsoft’s communication tool. There’s even a warning of the page saying the email is for “authorized use” only. “The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor,” said researchers.