Abnormal Attack Stories: Navy Federal Credit Union Phishing

May 18, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are impersonating the US Navy Federal Credit Union in order to steal victims’ associated credentials.

Quick Summary

Platform: Office 365
# Mailboxes: > 70,000
Victims: Employees
Payload: Malicious Link
Technique: Impersonation

What was the Attack?

  • Setup: This attack leverages the current economic crisis individuals are facing due to COVID-19. As individuals are struggling to balance bills, reduced revenue or income, and other costs during these difficult times, financial stimuli such as the stimulus check and the Payment Protection Program are helping people and businesses to alleviate some of their financial burden.
  • Email Attack: The email sent by the attackers claims to be from the US Navy Federal Credit Union, and states that the user has received $1,100 dollars due to the COVID-19 pandemic. The message claims that if the user has not received funds, they must validate their account with the link provided, which directs them to a phishing credentials webpage.
  • Payload: The email contains a link to a fake login page hosted at a URL that’s clearly not associated with the Navy Federal Credit Union. However, the landing page appears very similar to the legitimate Navy Federal Credit Union login page.
  • Result: Should recipients fall victim to this attack, their login credentials to their Navy Federal Credit Union account would be compromised. This poses a great risk of  financial loss associated with this financial institution.

Why is this attack effective?

  • Concealed URL: The URL where the landing page was hosted was clearly not the real website hosted by the Navy Federal Credit Union. The attacker purposely masks the link with text, and hopes that the appearance of the landing page will convince the victim of its validity.
  • Timing: Given the current pandemic, some individuals would have been still waiting to receive their stimulus check from the government. In the case that the user has not yet received their relief funds, they may be more inclined to believe this email.
  • Vague Language: The attacker sent themselves the email (as seen in the to-field of the email attack), while the victim’s email address was placed in the BCC field. The email body itself is vague and contains no personalization. This is a common tactic used by attacks to mass send this campaign, in order to hide who else was affected by this attack, as well as expand their net of targets.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content