Fake Social Security Statement Emails Trick Users Into Installing Remote Tool
Summary:
A phishing campaign disguised as official communication from the U.S. Social Security Administration has been uncovered, aiming to trick recipients into downloading ScreenConnect, a legitimate remote access tool commonly used for IT support. The campaign was flagged by Malwarebytes’ Customer Support and Research teams and has been attributed to a threat group dubbed Molatori, named after the domains they use to distribute the malicious payload. Victims receive fraudulent emails that closely mimic genuine SSA notifications, claiming their Social Security statement is ready for download. These emails often include deceptive file names, which are actually ScreenConnect installers in disguise.
Once a victim downloads and runs the file, the ScreenConnect client installs silently, giving the attacker full remote access to the computer. From that point, the cybercriminals can operate the system as if they were physically present, executing scripts, transferring files, harvesting credentials, and exfiltrating sensitive data. Victims’ banking details, personal identification numbers, and confidential documents are often targeted, with the attackers’ primary objective being financial fraud and identity theft.
Security Officer Comments:
Several factors contribute to the stealth and success of this campaign. The phishing emails are sent from compromised but otherwise legitimate WordPress websites, making the sender’s domain appear trustworthy and bypassing typical domain reputation checks. Additionally, the emails often embed their content as images rather than text, making it difficult for email scanners to detect malicious intent. Because ScreenConnect, previously known as ConnectWise Control, is a widely trusted application, its use in this context further complicates detection efforts.
Suggested Corrections:
IOCs:
https://www.malwarebytes.com/blog/n...mails-trick-users-into-installing-remote-tool
When receiving unsolicited emails, there are a few necessary precautions you can take to avoid falling for phishing:
Link(s):
https://www.malwarebytes.com/blog/n...mails-trick-users-into-installing-remote-tool
A phishing campaign disguised as official communication from the U.S. Social Security Administration has been uncovered, aiming to trick recipients into downloading ScreenConnect, a legitimate remote access tool commonly used for IT support. The campaign was flagged by Malwarebytes’ Customer Support and Research teams and has been attributed to a threat group dubbed Molatori, named after the domains they use to distribute the malicious payload. Victims receive fraudulent emails that closely mimic genuine SSA notifications, claiming their Social Security statement is ready for download. These emails often include deceptive file names, which are actually ScreenConnect installers in disguise.
Once a victim downloads and runs the file, the ScreenConnect client installs silently, giving the attacker full remote access to the computer. From that point, the cybercriminals can operate the system as if they were physically present, executing scripts, transferring files, harvesting credentials, and exfiltrating sensitive data. Victims’ banking details, personal identification numbers, and confidential documents are often targeted, with the attackers’ primary objective being financial fraud and identity theft.
Security Officer Comments:
Several factors contribute to the stealth and success of this campaign. The phishing emails are sent from compromised but otherwise legitimate WordPress websites, making the sender’s domain appear trustworthy and bypassing typical domain reputation checks. Additionally, the emails often embed their content as images rather than text, making it difficult for email scanners to detect malicious intent. Because ScreenConnect, previously known as ConnectWise Control, is a widely trusted application, its use in this context further complicates detection efforts.
Suggested Corrections:
IOCs:
https://www.malwarebytes.com/blog/n...mails-trick-users-into-installing-remote-tool
When receiving unsolicited emails, there are a few necessary precautions you can take to avoid falling for phishing:
- Verify the source of the email through independent sources.
- Don’t click on links until you are sure they are non-malicous.
- Don’t open downloaded files or attachments until you are sure they are safe.
- Use an up-to-date and active anti-malware solution.
- If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
Link(s):
https://www.malwarebytes.com/blog/n...mails-trick-users-into-installing-remote-tool