Fake special offers, contracts and websites of well-known German car dealerships
Check Point Research (CPR), the specialist department of Check Point Software Technologies, has discovered an ongoing and targeted cyber attack campaign that uses German car dealerships as a cover. The aim of the attacks was to use different types of malware to steal information. The actors behind the campaign initially registered several similar-looking domains, all of which imitated existing German car dealerships. The domains were later used to send phishing emails and host the malware infrastructure. CPR traced the malware and came across an Iranian website that was used as a hosting site and is not run by a government.
This is how the attackers proceeded: they first set up mail servers with their own domains and used them to send emails. These should attract attention by pointing out various car offers. They attached documents such as contracts and receipts related to the alleged transactions to the emails. These HTA “documents” were archived in ISO/IMG files. As soon as they appeared, the threat actors downloaded malware and executed it on the target people’s computer in order to steal information.
The identity of the masterminds behind the attack is not clear in this case. CPR found certain links to Iranian non-governmental organizations, but it is unclear whether these were legitimate sites that were compromised, or whether there is a deeper connection to this operation.
“We have discovered a targeted attack on German companies, mainly car dealers. The attackers use an extensive infrastructure designed to imitate existing German companies.”, notes Yoav Pinkas, security research at Check Point Software. “The attackers use phishing emails with a combination of ISOHTA payloads that infect victims with various malware programs and steal information when it is opened. We do not have conclusive evidence for the motivation of the attackers, but we believe that it was about more than just the tapping of credit card data or personal information. The targets were carefully selected, and the way the phishing emails were sent allowed for correspondence between the victims and the attackers. One possibility is that the attackers tried to compromise car dealerships and use their infrastructure and data to gain access to secondary targets such as larger suppliers and manufacturers. This would be useful for BEC fraud (business, e-mail, compromise) or industrial espionage.“
The experts were able to identify them, among other things, by analyzing the design and the choice of words in e-mail traffic: “Social engineering caught our attention, e.g. how the threat actors selected the companies they pretended to be, and also the wording of the e-mails and the attached documents. In this type of attacks, the main thing is to convince the recipient of the authenticity of the bait. Simultaneous access to several victims gives the attacker a significant advantage. For example, if two of your subcontractors independently report on an already known topic or a conversation that the target persons have had with you, this will give your request much greater credibility.”