A phishing campaign reported by BleepingComputer says that threat actors are abusing SendGridโs Infrastructure for sending phishing emails to take payers. The redirecting phishing web page is also compromised, and the emails were spoofed to be from HMRC, UKโs tax collector. Using SendGrid email delivery helped them bypass spam filters.
HMRC Phishing Campaign
Her Majestyโs Revenue and Customs (HMRC) is the UKโs tax collector. Since itโs the official department, any email or letter having a badge of it asking for details will mostly be believed by citizens. And this is how any phishing campaign runs. Based on this, a threat group has been sending HMRC based email for stealing data.
As reported by a security researcher named The Analyst to the BleepingComputer, threat actors are abusing SendGridโs email delivery infrastructure for sending legitimate-looking phishing emails to citizens. Using the HMRC email address in the From address section helps it bypass spam filters.
Hey @SendGrid @LenShneyder get your act together! Now you're letting a TA spoof @HMRCgovuk as sender for #phishing. /sendgrid.net > s/technicalzia.net/taxhttps://t.co/CaqygOyYKc
CC @NCSC @olihough86 pic.twitter.com/6lcxTmWsQv— TheAnalyst (@ffforward) December 2, 2020
The phishing page thatโs within the email, and is redirected to, is also a compromised website โ https://technicalzia[.]net/tax/. Details asked from citizens through the phishing form are;
- Name
- DoB
- Residential Address
- Driving license number with the issue and expiry dates
- National Insurance Number
- Unique Taxpayer Reference number and
- Passport Number and expiry dates.
The researcher said SendGridโs legacy account offer should be accused since threat actors are exploiting them for over half a year. He said, โIn this specific case HMRC has a good DMARC record that makes most recipients just junk them, but when [scammers] spoof other domains that actually have SendGrid in SPF/DMARC itโs much worse.โ
SendGrid replied to the researcherโs findings and said theyโd try to keep their platform clear from such users. Also, it asked recipients of such emails with any SendGrid mention to be forwarded to [email protected] for investigation.