| The NJCCIC has observed a phishing campaign using multiple lures to capture Google credentials. These emails claim to be hotel reservations, job opportunities, or invitations to digital workspaces, and have subjects such as: |
| Reservation Confirmed Mountain Time Vacation Rentals You Have Been Granted Access to the CW Digital Marketing Workspace Opportunity Social Media Manager at Samsung Electronics Confirmation of Your Reservation at Deep Creek Hotels |
The messages include a link that, after completing a CAPTCHA, directs users to a Google Sites page displaying a fake Google login prompt. Credentials entered on this page are stolen, along with 2FA tokens and session cookies. It uses the Adversary-in-the-Middle (AiTM) technique, leveraging the synchronous relay capabilities of the Tycoon Phishing-as-a-Service (PhaaS) platform to capture credentials in real time.
| Recommendations |
| Exercise caution with communications from known senders or legitimate platforms. Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments. Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files. Enable multi-factor authentication (MFA) and keep systems and browsers up to date. If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes. Report malicious cyber activity to the NJCCIC and the FBI’s IC3. |