A sophisticated phishing campaign targeted EPOS Net customers with meticulously crafted emails and a cloned website designed to harvest banking information and OTP data. The attackers leveraged spoofed emails and real EPOS support numbers to create legitimacy and urgency. #EPOSNet #CofensePhishingDefenseCenter
Keypoints
- The phishing campaign targets EPOS Net customers, described as a large Japanese credit card company’s clients.
- Emails are meticulously crafted to resemble legitimate EPOS Net communications and include spoofed sender addresses to build trust.
- Recipients are directed to a cloned EPOS Net website via a link in the email to harvest credentials and card details.
- The phishing flow collects username, password, card number, expiry, security code, and the phone number used when applying for the card.
- The attack adds credibility by displaying actual EPOS customer center numbers and later prompts for a one-time password, then redirects to a legitimate-looking EPOS login page.
- Indicators of Compromise include two domains and two IP addresses used in the campaign: eposcp-net[.]3utilities[.]com, ww16[.]eipos[.]caneo[.]info/; 216.144.226.73 and 64.190.63.136.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Victims are directed to a replica site via a link in an email. ‘The phishing email begins by thanking the receiver for their continued patronage of EPOS cards and mentions that EPOS Net monitors card usage to prevent unauthorized use… urging them to check the details via a provided link.’
- [T1036] Masquerading – Spoofed the ‘from’ address to resemble an official EPOS Net email and mimicked the company’s genuine communications. ‘They have spoofed the “from” address to resemble an official EPOS Net email, and the layout of the email mimics that of a genuine communication from the company.’
- [T1056.001] Web Input Capture – The phishing site requests the user’s username and password and then leads them to a second page that asks for their EPOS card details, including the card number, date of expiry, security code, and the telephone number used when applying for the card. ‘The phishing site requests the user’s username and password and then leads them to a second page that asks for their EPOS card details, including the card number, date of expiry, security code, and the telephone number used when applying for the card.’
Indicators of Compromise
- [URL] Phishing domains – eposcp-net[.]3utilities[.]com and ww16[.]eipos[.]caneo[.]info/
- [IP] Hosting IPs – 216.144.226.73, 64.190.63.136