An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
Although threat actors targeting business ad manager accounts isn't new, the campaign discovered by Push Security is highly targeted, with professionally crafted lures that create conditions for high success rates.
Access to marketing accounts gives threat actors a springboard to launch malvertising campaigns for AiTM phishing, malware distribution, and ClickFix attacks.
Also, ad platforms allow geo-targeting, domain filtering, and device-specific targeting, enabling "watering-hole" styled attacks.
Ultimately, compromised marketing accounts can be resold to cybercriminals, so direct monetization is always a valid option.
Google Workspace accounts also often extend to enterprise environments and business data, especially via SSO and permissive IdP configurations.
Calendly phishing
Calendly is a legitimate online scheduling platform where the organizer of a meeting sends a link to the other party, allowing recipients to pick an available time slot.
The service has been abused in the past for phishing attacks, but the use of well-known brands to exploit trust and familiarity is what elevated this campaign.
The attack starts with the threat actor impersonating a recruiter for a well-known brand and then sending a fake meeting invitation to the target. The recruiters are legitimate employees who are also impersonated on the phishing landing pages.
... continue reading