Widespread attempts to steal login credentials from organizations, leaving cybersecurity professionals on high alert.
Attack on Zimbra Collaboration email servers
An ongoing phishing campaign has been detected, aiming to steal login credentials from Zimbra Collaboration email servers utilized by organizations worldwide. The phishing attempts began surfacing in April, and the identity of the perpetrators remains concealed.
Details of the Campaign:
- Geographical Scope: The phishing emails have targeted organizations primarily in Latin America, Russia, Europe, and Asia. According to Bleepingcomputer, referencing a report from cybersecurity firm ESET, there doesn’t seem to be a specific focus on any particular sector or type of organization.
- Deceptive Emails: The initial point of contact is a phishing email that masquerades as an official communication from the recipient’s organization. This email urges the user to open an HTML file, which supposedly provides information about a server upgrade and warns about impending account deactivation if not acted upon.
- Impersonation Tactics: Upon opening the HTML file, users are presented with a convincingly fake Zimbra login screen, complete with the logo and the name of the targeted organization. Notably, the username field is pre-filled, requiring the user only to input their password. Once entered, the password is sent to the malicious actor through an HTTPS POST request.
- ESET’s Insights: ESET described the scale of the campaign’s reach and the number of successful phishing attempts as “impressive”. They have also issued a warning to Zimbra users to remain cautious. It’s worth noting that Zimbra has become an increasingly popular target for cyber adversaries.
- Heightened Risks: This campaign showcases the evolving sophistication of phishing techniques. The use of organization-specific branding in the phishing pages and pre-filled usernames are tactics to increase the likelihood of victims entering their passwords.
- Role of Zimbra: As Zimbra Collaboration email servers continue to gain traction, they are simultaneously drawing the attention of cyber attackers. Organizations using this platform must be increasingly vigilant and proactive in their cybersecurity measures.