In this latest iteration of “Fresh Phish” by Roger Kay, the focus is on a “Request for Quotation Scam” (RFQ) orchestrated by cybercriminals. According to INKY’s analyses, the scam comprises “A fake request for proposal sent from a new or freemail Pfizer look-alike domain” conducted by black hat hackers. INKY has found 410 phishing attempts targetting victims launched between August 15th and December 13th, 2021.
The Request for Quotation Scam
According to INKY, the Request for Quotation scam, or RFQ scam, involves emails that impersonate Pfizer. The emails are sent out en masse from popular freemail accounts such as Ziggo, Outlook, and Gmail. The subject line of the emails contains phrases such as RFQ, RFQ URGENT, RFQ URGENT CARE, Request for Supply, Invitation, Invitation to Bid, Pfizer Request for Quotation, or Request for Quotation. The email contains a request for quotes surrounding Pfizer’s industrial supplies. Two examples of the emails were given by INKY: one containing a supply request for a medical regulator valve, the other for an industrial pump. In both emails, the fraudulent sender requests the victim to supply them with an item or product of “substantial monetary value,” according to INKY’s findings. Both emails contained multi-page, fraudulent PDF files that supported the content. The PDF files contained a “discussion of payment methods and terms,” meaning that the victim would need to share financial details down the line. The victims were instructed to send their quotes back to “email addresses that impersonated Pfizer” like quotation@pfizersupplychain.com and pfizersupplychain14@outlook.com, both newly created domains. The analysis of the domains showed that “at least one bad actor was based in Nigeria.” Some of the detected domains included pfizer-nl.com, pfizer-bv.org, pfizerhtlinc.xyz, and pfizertenders.xyz. The domains were created explicitly for phishing scams and were registered with Namecheap, which is “a domain registrar that (helpfully, for the phishers) accepts cryptocurrency as payment.” The analysis also presented irrefutable evidence that the domains were scams, as they were created “a few days before being put to nefarious use.”
Scam Involves Combination of High and Low-Tech Techniques
The phishing scam involved “both high and low-tech to evade anti-phishing radar.” The low-tech part of it can be seen in the email itself and the PDF files that function as a pure social engineering element “with no poison links or malware in either the attachment or the email itself.” The high-tech part of the scam, however, involved not triggering “rudimentary email defences (i.e., DMARC analysis of DKIM and SPF records).” The brand new domains specifically designed to lure recipients into scams “represented zero-day vulnerabilities” because “they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools.” The scam is cleverly engineered because it includes the following elements: the impersonation of a brand by using the official logo, the use of freemail that slips under the radar of most scanners, and the utilization of fresh domains yet unknown by threat intelligence, thereby admitting them through “rudimentary security checks.”
Inconsistencies in Scam
Upon closer analysis, some inconsistencies like “different due dates on different pages” in the attached PDF files indicated something suspicious. It was clear that the PDFs, which were pretty convincing apart from a few of these inconsistencies, pointed to high-quality work above that of an average team of scammers. Other clever details added to the high-tech element of the scam. The domains used, for example Pfizer-bv and Pfizer-nl, were designed to inspire confidence and an air of authenticity when read by the recipient. The cybercriminals know that Pfizer has offices in the Netherlands, which is why they used “Pfizer-nl.” However, the domains’ suffixes gave the operation away, as Pfizer does not have a Netherlands domain registered as “.nl” but uses “.com” as their legitimate domain instead.
Exact Outcome of Scam Still Unknown
The report indicated that 410 phishing emails were sent between August 15th and December 13th, 2021. The findings led to a conclusion about what the cybercriminals are after. If a victim followed through with the scam to the end of the process, either banking details or credentials were harvested via an email or phone exchange, “or the scam runners took the merchandise, never paid for it, and resold it on the black market.” As far as the exact outcome of this scam, the report emphasized that INKY “was unable to follow this scam to its conclusion.” The fact that the operation was designed to evade scanners and filters—to leave as little of a digital trail as possible—meant that following the operation at this time is difficult. Although INKY’s security filters were able to flag the malicious emails, there is a high probability that this scam will continue to slip under the radar for traditional email platforms. It is important to remember that “large enterprises like Pfizer do not typically send out cold emails to solicit bids for projects.” Secondly, any RFQ requests via email should be cross-checked with Pfizer, and users should be especially suspicious of senders who use freemail domains.
