Employee Sales Award-themed Credential Phishing Attack Impersonates Square

In this attack, an employee was targeted with an email supposedly from Square indicating they had received a $950 award for their previous month’s sales. The email was sent from an account with username referencing Square and the display name of the sender was also modified to look like it was coming directly from Square. To hide the addresses of everyone receiving the email, the attacker BCC'd all of the recipients, so they couldn’t be seen. 

Had the recipient clicked on the link in the email, they would have been directed to a phishing page that mimicked the Square login page, which was hosted on a compromised domain.

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email address used by the attacker to send the message had not been previously identified as malicious.

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients. 

If an employee entered credentials into the phishing page, attackers would have full access to their Square account, which could allow them to modify bank details linked to the account that would allow them to divert funds from legitimate transactions. If the Square account is also linked to a company bank account, then the targeted company could be directly impacted as well.