A phishing campaign reported by BleepingComputer says that threat actors are abusing SendGrid’s Infrastructure for sending phishing emails to take payers. The redirecting phishing web page is also compromised, and the emails were spoofed to be from HMRC, UK’s tax collector. Using SendGrid email delivery helped them bypass spam filters.
HMRC Phishing Campaign
Her Majesty’s Revenue and Customs (HMRC) is the UK’s tax collector. Since it’s the official department, any email or letter having a badge of it asking for details will mostly be believed by citizens. And this is how any phishing campaign runs. Based on this, a threat group has been sending HMRC based email for stealing data.
As reported by a security researcher named The Analyst to the BleepingComputer, threat actors are abusing SendGrid’s email delivery infrastructure for sending legitimate-looking phishing emails to citizens. Using the HMRC email address in the From address section helps it bypass spam filters.
Hey @SendGrid @LenShneyder get your act together! Now you're letting a TA spoof @HMRCgovuk as sender for #phishing. /sendgrid.net > s/technicalzia.net/taxhttps://t.co/CaqygOyYKc
CC @NCSC @olihough86 pic.twitter.com/6lcxTmWsQv— TheAnalyst (@ffforward) December 2, 2020
The phishing page that’s within the email, and is redirected to, is also a compromised website – https://technicalzia[.]net/tax/. Details asked from citizens through the phishing form are;
- Name
- DoB
- Residential Address
- Driving license number with the issue and expiry dates
- National Insurance Number
- Unique Taxpayer Reference number and
- Passport Number and expiry dates.
The researcher said SendGrid’s legacy account offer should be accused since threat actors are exploiting them for over half a year. He said, “In this specific case HMRC has a good DMARC record that makes most recipients just junk them, but when [scammers] spoof other domains that actually have SendGrid in SPF/DMARC it’s much worse.”
SendGrid replied to the researcher’s findings and said they’d try to keep their platform clear from such users. Also, it asked recipients of such emails with any SendGrid mention to be forwarded to [email protected] for investigation.
