A report from INKY revealed that pharmaceutical firm Pfizer
is being spoofed in a highly targeted phishing campaign that began in August, in an effort to exfiltrate business and financial data, according to BleepingComputer
Threat actors behind the campaign have been discovered to use "clean" PDF attachments together with domains that seem to be legitimate online portals of Pfizer, which were recently registered via Namecheap. Among the observed domains include pfizer-nl[.]com, pfizerhtlinc[.]xyz, pfizer-bv[.]org, and pfizertenders[.]xyz.
INKY researchers discovered that attackers commonly send emails with subject lines involving bidding invitations, urgent quotations, and topics related to industrial equipment supply. Attached in the phishing emails is a three-page PDF document containing information commonly found in legitimate quotation requests, such as due dates and payment terms.
While the document itself does not contain malware-dropping links, would-be victims are being instructed to send quotes to spoofed domain addresses and any payment information sent to the emails may be used in future BEC campaigns.