The motivation behind phishing attack that struck the Indian IT consultancy firm Wipro in April may surprisingly be gift card fraud, according to a new Flashpoint report.
Flashpoint researchers Jason Reaves, Joshua Platt and Allison Nixon said the far-ranging attack that hit dozens of Wipro employees gave the malicious actors access to more than 100 of the company’s computers. In the end, the aim was to obtain the usernames and passwords of encrypted email accounts in order to obtain access to portals managing the account-holders' gift card and rewards programs, the blog said.
What was done with the stolen credentials is unknown.
“We cannot confirm how the credentials were used, only that Wipro has appeared as a target in campaigns,” Reaves and Platt told SC Media.
At this time it is still not known if any Wipro clients were themselves victimized, but cybersecurity execs believe they should be prepared.
“Every Wipro customer should be hyper-aware of the potential of such attacks coming from this previously trusted domain. Employees should be on red alert for any email from this domain until such time as Wipro demonstrates that its email system is rearchitected,” said Mark Bower, chief revenue officer and North American general manager at Egress Software Technologies, at the time of the initial attack.
The researchers also uncovered enough evidence to indicate that those behind this scam had been conducting attacks since at least 2017 and possibly as early as 2015. This conclusion was reached by the threat group’s re-use of content and infrastructure from other attacks. In addition, the gang tapped into a few legitimate sources; for example, the phishing templates used against Wipro were taken from a security awareness training company, which used them to instruct workers on how to avoid phishing scams. Additionally, certain observed malware also links back to earlier attacks.
“Imminent Monitor is associated with previous campaigns conducted in 2017. These campaigns were not necessarily associated with the Wipro incident but associated with the actors that allegedly breached the organization,” Reaves and Platt said.