Alert: Mass credential harvesting phishing campaign active in the UK


The National Cyber Security Centre is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK.

The campaign has been active since at least July 2018 through various iterations, with a recent spike in reports to the NCSC in early October 2019. It appears to be spreading indiscriminately across a very broad range of UK sectors.
In this campaign, the user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email.

More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.

The recent iteration of these phishing emails consists of a black ellipsis with a grey highlighted background and a single sentence underneath containing a hyperlink. There are some slight variations in the sentence wording but the four structures currently prevalent include:

- Notification received Open notification.

- Notification received View notification.

- Notification clipped Open notification.

- Notification clipped View notification.

Below is an example screenshot of the current phishing email:

Previous versions of this campaign have included a red, green or blue-coloured button containing text variations of ‘view the message’, prompting the previous name for this campaign ‘RGB’ or ‘Red/Green/Blue Button Phishing Campaign’.

If the user clicks on the hyperlink, a spoofed login webpage appears, which includes the victim organisation’s logo and email address, as well as a password entry form, as shown below. This page is based on the recipient’s domain.

The NCSC is aware that victim accounts have been compromised without a user actually entering any credentials. It is possible that the actor has used password spraying to gain access.

Following compromise, the actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.

The NCSC highly recommends that compromised passwords are changed immediately, along with implementation of multi factor authentication. 

[/fa-rss/ LATEST NEWS]_$type=three$m=0$l=0$c=6$cm=0$hide=home


404 / ERROR \ 404



[/fa-camera/ CLEATOR MOOR PHOTOS]_$type=three$m=0$l=0$c=6$cm=0$hide=home$source=random

[/fa-history/ CLEATOR MOOR HISTORY]_$type=three$m=0$l=0$c=6$cm=0$hide=home$source=random


Book,1,Cleator Moor History,49,Cleator Moor News,179,Copeland Borough Council,114,Cumbria News,2209,Featured,332,News,3314,Photography,26,Photos For Sale,10,Photos Of Cleator Moor,12,Photos of Cumbria,14,UK News,373,Walking Routes,3,West Cumbria News,592,Your MP,78,
Little Ireland | Cleator Moor | Cumbria: Alert: Mass credential harvesting phishing campaign active in the UK
Alert: Mass credential harvesting phishing campaign active in the UK
Little Ireland | Cleator Moor | Cumbria
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All SUGGESTED READING LITTLE IRELAND ARCHIVE SEARCH ALL POSTS Not found any post match with your request HOME Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content