Iceland fell victim to the largest phishing campaign to target the nation, a complex scheme which involved impersonating law enforcement officers.
The attack was tailored specifically for Icelanders and used a homograph trick to register a domain imitating the Icelandic Police domain and a malicious attachment file with which roughly translated to “Called in for questioning by the police on October 30th,” according to Bleeping Computer.
The message claims non-compliance will result in an arrest warrant. The malware used in the attack exploits the Remcos 2.0.7 Pro tool, a legitimate commercial solution for accessing remote computers, which provides full access to the device it is ran on.
Remcos has since taken action to prevent abuse, as this isn’t the first time its products have been misused, and has blocked the customer license to prevent use of software. The firm is also providing assistance in removing the software from victim’s devices.
A link in the phishing scheme takes victim’s to a website which imitates the Icelandic police site and prompts users to enter their social security numbers.
Adding to the scam, the attacker is able to check the validity of these numbers, possibly by cross referencing a leaked database, and display an alert prompting a correction in the event of an incorrect SSN.
Those fooled in the attack have been instructed to change all of their passwords and format their computers.
Researchers noted the command and control (C2) servers set up to receive stolen data, are in Germany and Holland law enforcement believes the attacks were carried out by someone familiar with the Icelandic administrative system.
Outpost24 Chief Security Officer Martin Jartelius said that although the attack was neither novel or hard to perform, it was extremely targeted and involved a greater effort for a smaller audience than is usually seen in these cases.
“The attack itself is primarily targeting home users, so there isn’t much for organizations to do, but overall, the moment security depends on a user clicking or not clicking a link in an email, or on a user making the correct choice not to run software, we as security practitioners have transferred not risk but responsibility to those least prepared and trained to manage it,” Jartelius said.
“If users are well trained not to open attachments from untrusted sources, not to click on phishing emails and follow basic security best practices, they will minimize the risks,” he said. “However, there is no way to be perfectly safe.”
He explained the likelihood of getting questions from the police and getting a summoning via email is less than likely.