UK work visa sponsors are target of phishing campaign
Mimecast identifies a phishing campaign targeting UK organisations that sponsor migrant workers and students, opening the door to account compromise and visa fraud
Cyber criminals are exploiting Home Office branding in a newly identified phishing campaign that targets holders of UK immigrant sponsor licence holders participating in the government’s Sponsorship Management System (SMS).
The SMS is designed for employers sponsoring visas in the Worker and Temporary Worker categories, and institutions sponsoring visas in the Student and Child categories. It is used primarily to manage the creation and assignment of sponsorship certificates for prospective employees or students, and to report changes of circumstances for sponsored immigrants.
The unidentified actors behind the campaign, which was identified by Samantha Clarke, Hiwot Mendahun and Ankit Gupta of the Threat Research Team at email security specialist Mimecast, seem primarily to be seeking to compromise credentials for downstream financial exploitation and data theft.
“This campaign represents a significant threat to the UK immigration system, with attackers seeking to compromise access to the Sponsorship Management System for extensive financial and data exploitation,” the team said.
“The threat actors deploy fraudulent emails impersonating official Home Office communications, typically sent to general organisational email addresses with urgent warnings about compliance issues or account suspension. These messages contain malicious links that redirect recipients to convincing fake SMS login pages designed to harvest User IDs and passwords.”
The systematic campaign starts with phishing emails that at first glance will appear to the target to closely mimic a genuine Home Office notification. These messages present as urgent notifications or system alerts requiring prompt attention, but in reality, direct users to fake login pages to capture the victims’ SMS credentials.
A deeper technical analysis by the Mimecast team found the perpetrators are using captcha-gated URLs as an initial filtering mechanism, followed by redirection to the attacker-controlled phishing pages, a direct clone of the genuine article – complete with pilfered HTML, links to official UK government assets and minimal albeit critical changes to the form submission process.
“The threat actors demonstrate advanced understanding of government communication patterns and user expectations within the UK immigration system,” said the team.
What is the goal of the phishing attack?
The goal of the phishing attack appears to be twofold, targeting both organisations legitimately sponsoring immigrants to the UK, and the immigrants themselves.
Once they have compromised their primary victims’ SMS credentials, the attackers pursue multiple different monetisation objectives, said the Mimecast team. Chief among these appears to be the sale of access to compromised accounts on dark web forums to facilitate the issuance of fake Certificates of Sponsorship (CoS), and to conduct extortion attacks on the organisations themselves.
However, a murkier – and potentially more lucrative – avenue for exploitation involves the creation of fake job offers and visa sponsorship schemes.
Computer Weekly understands that some downstream victims seeking to move to the UK have been defrauded of up to £20,000 by the cyber criminals for seemingly legitimate visas and job offers that never materialise.
Next steps
For Mimecast customers that may be at risk from this phishing campaign, the firm has already implemented comprehensive detection capabilities enabling its email security platform to detect and block incoming emails associated with it, and is continuing to monitor for any developments.
In general, organisations using the SMS service should consider taking the following steps:
- Deploy email security capabilities to detect government impersonation and suspicious URL patterns, and implement URL rewriting and sandboxing to analyse links prior to user interaction.
- Establish and enforce multifactor authentication (MFA) on SMS access, rotate these credentials frequently and monitor SMS accounts for strange access patterns or login locations that don’t add up.
- Engage those with access on genuine Home Office communications and official email domains, emphasising the importance of verifying urgent notifications before taking action, coupled with general phishing-awareness training and simulations.
- Set up verification procedures for SMS-related communications, incorporate SMS compromise into incident response protocols and, where possible, segregate SMS duties to ward off single-point-of-failure scenarios.
The Home Office has been contacted for comment.
