Cybercriminals are harvesting credentials for various online services

Apr 9, 2014 13:43 GMT  ·  By

Phishers are trying to trick users into handing over their email account username and password with the aid of bogus newsletter emails.

The malicious notifications spotted by Hoax Slayer carry the subject line “Vital Newsletter” and they read something like this: “Hello, I uploaded this vital newsletter using my google doc. For immediate access CLICK HERE. Sign in with your email.”

The link doesn’t point to a legitimate email service, but to a phishing website where internauts are asked to enter their credentials. The cybercriminals are not targeting a certain type of email account. Instead, they allow victims to select between several services, including Yahoo, Gmail, Windows Live and AOL.

The information entered on the phishing site is sent to a server controlled by the attackers. The cybercrooks can later use the information to hijack accounts and abuse them for other malicious operations.

If users don’t have two-factor authentication (2FA) enabled, their accounts can be easily compromised. On the other hand, most of those who fall for such a phish probably don’t know much about security, so they most likely don’t have 2FA enabled.

A similar phishing scam was spotted last week by experts from Trusteer. It’s clear that these types of schemes are still successful, which is why users are advised to be cautious when they come across suspicious emails.