Bad guys exploiting the COVID-19 pandemic is nothing new under the sun. However, the newest highly-targeted phishing campaign impersonating Pfizer in fake requests for quotation takes things to another level.
COVID-19 Phish Impersonating Pfizer
Scammers have found yet another way to profit off the pandemic. This time, they’re posing as the pharmaceutical giant to steal business and financial data from victims.
Pfizer is a reputable, well-known company with extensive publicity for producing one of the few mRNA vaccines available for the disease.
Threat actors usually use popular and trusted brand names to carry out their phishing schemes. This way, they are more likely to succeed in their attempts than impersonating a fictional company.
A fresh report from security firm INKY explains that phishers are pretending to be Pfizer in a targeted phishing email operation, which started around August 15.
“Between Aug. 15 and Dec. 13, INKY detected 410 phishing emails that impersonated pharmaceutical and biotechnology giant Pfizer’s brand in a run of request-for-quotation (RFQ) scams,” the report states.
The scammers who operate this campaign are thorough with their work: they are mixing ‘clean’ PDF attachments with newly registered domains that look like legitimate Pfizer online spaces.
Then, they circumvent email security filters by spawning email accounts from these domains.
The new domains were registered through the Namecheap platform, which accepts cryptocurrency as a payment method, allowing the scammers to stay anonymous.
Here are some of the domains that INKY found:
The first one, pfizer-nl[.]com, may seem to be the official online portal of Pfizer Netherlands. In this country, the company does have an office, tricking the recipient into believing the email actually comes from the company.
Eye-Catching Subject Lines
Right off the bat, the message starts with a subject line involving urgent quotations, invitations to bid, and industrial equipment supply-related topics, which catch the recipient’s attention.
“Here is a sample of subject lines used in the phishing emails:
- Request For Quotation
- Pfizer Request For Quotation
- RFQ URGENT
- RFQ URGENT CARE
- Request for Supply
- Invitation to Bid”
Here’s one of those emails:
Amid the galloping spread of newly-discovered coronavirus variants, phishers don’t have to do much to encapsulate a biting sense of urgency in their malicious emails.
In the majority of attacks observed by INKY researchers, the actors use a professionally-looking PDF file discussing due dates, payment terms, and other information that a legitimate request for quotation involves.
The PDF attachment is not poisoned with malicious links that would raise suspicion on email filters and doesn’t contain any typos or grammar errors that would make the scam obvious.
Then, the targets are asked to send their quotes to the spoofed Pfizer domain addresses, such as quote@pfizerbvl[.]com or quotation@pfizersupplychain[.]com.
While experts cannot put their finger on the campaign’s specific goal yet, the fact that payment terms are detailed in the PDF file is a good indication that the scammers will request the recipient to provide their banking information at some point in the scheme.
If the victim does share payment details, they could be used in future BEC attacks targeting the company’s customers.
Also, the operators don’t demand personal information on first contact, which allows them to earn some of the recipient’s trust.
Replying to these malicious emails deceives the victim further, as they are then hoping to score a lucrative deal with a prestigious company.
If you receive emails with unusual bidding requests, it is always best to contact the company on their official number listed on their website and double-check with them.
If the person who contacted you via email does not work at the company or is unaware of these emails, you can report them, delete them, and move on with your day.
Bleeping Computer Phishing attacks impersonate Pfizer in fake requests for quotation