Since July of this year, cybersecurity firm Check Point has been tracking an ingenious form of online fraud that is rapidly spreading across the US, Europe, East Asia and South America. The attackers impersonate dozens of legitimate companies, claiming the victim’s organization has infringed their copyright.
Weaponized emails, which appear to come from the legal representatives of the impersonated companies, accuse the recipient of misusing their brand on the target’s social media page and requesting the removal of specific images and videos. The phishing emails are typically sent from Gmail accounts and prompt recipients to download an archive file. which then installs the latest version of the Rhadamanthys infostealer stealer (version 0.7) in order to steal critical information from the victim’s organization.
Almost 70 percent of the impersonated companies falsely claiming copyright infringement claim to be from the entertainment, media and software sectors. According to Check Point Research, this could be because those sectors have a high online presence and are more likely to send such requests. These high profile sectors also have frequent copyright-related communications, making such phishing attempts appear more credible.
The threat actors are entirely financially motivated
The Rhadamanthys infostealer was first identified as a tool used by teams sponsored by states such as Russia and Iran. But, from the methodology being used and the wide range of victim organizations, it would seem that the current international phishing campaign is entirely financially motivated.
“The campaign’s widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor. Its global reach, automated phishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates,” says Check Point.
The global scale of this phishing campaign and Check Point’s analysis of the lures and targets in this campaign suggest the threat actor uses automation for lure distribution.
“Due to the scale of the campaign and the variety of the lures and sender emails, there is a possibility that the threat actor also utilized AI tools,” says Check Point.
Companies should now inform staff to be particularly wary of unsolicited incoming emails claiming that their copyright has been infringed in the run-up to the Christmas and New Year seasonal break. Any suspicious communications relating to alleged copyright infringement should be forwarded directly to the firm’s IT support desk of the company information security officer (CISO) for investigation.
