EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Hackers Mimic Social Security Administration To Deliver ConnectWise RAT

0
Share:

A phishing campaign spoofing the United States Social Security Administration emerged in September 2024, delivering emails with embedded links to a ConnectWise Remote Access Trojan (RAT) installer.

These emails, disguised as updated benefits statements, employed various techniques, including mismatched links and “View Statement” buttons, to deceive recipients.

It initially leveraged ConnectWise infrastructure for its command and control (C2) but later transitioned to dynamic DNS services and threat actor-hosted domains.

Observed activity increased significantly in early to mid-November, peaking around Election Day, suggesting a potential connection to the political climate.

Threat actors are employing sophisticated brand spoofing tactics in email campaigns targeting individuals, which leverage recognizable assets like logos from legitimate entities, such as the Social Security Administration, to create an illusion of authenticity.

By embedding deceptive links that mimic official government webpages, these emails aim to trick recipients into clicking.

This can lead to malware infections or data theft, underscoring the increasing sophistication of cyber threats and the importance of robust cybersecurity measures for individuals and organizations.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important; object-fit: contain;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
A sample Social Security Administration-spoofing email using branded image assets

Through the use of a deceptive, one-time-use mechanism, the embedded link is able to redirect users to a ConnectWise RAT installer when they initially access the link.

However, subsequent attempts to access the same link redirect the user to a legitimate Social Security Administration website, suggesting the use of browser cookies to track previous visits.

By setting a cookie during the first access, the system distinguishes between initial and repeat attempts.

This effectively limits the malicious payload delivery to a single instance per user, making analysis more challenging and increasing the difficulty of identifying and mitigating the threat.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important; object-fit: contain;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
When accessing the link on subsequent attempts, the site redirects to an official Social Security site.

Threat actors deploy credential phishing campaigns utilizing social engineering techniques as they craft emails mimicking legitimate entities (e.g., the Social Security Administration) to lure victims into clicking on malicious links.

According to Cofense Intelligence, these links often lead to websites disguised as official portals requesting sensitive personal information. Data, including PII, financial details, and security questions like a mother’s maiden name, is harvested for identity theft and account takeover.

The phishing pages may also include malicious downloads such as Remote Access Trojans (RATs), granting attackers remote control over the victim’s device.

This enables threat actors to compromise accounts, steal funds, and potentially exploit the victim’s digital footprint further.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
10:27 am, Jan 15, 2025
weather icon 9°C
L: 9° | H: 10°
overcast clouds
Humidity: 93 %
Pressure: 1035 mb
Wind: 2 mph
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 9 km
Sunrise: 7:59 am
Sunset: 4:20 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
9° | 10°°C 0 mm 0% 3 mph 98 % 1034 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
5° | 9°°C 0 mm 0% 5 mph 96 % 1035 mb 0 mm/h
Fri Jan 17 9:00 pm
weather icon
3° | 7°°C 0 mm 0% 4 mph 93 % 1036 mb 0 mm/h
Sat Jan 18 9:00 pm
weather icon
2° | 7°°C 0 mm 0% 3 mph 89 % 1033 mb 0 mm/h
Sun Jan 19 9:00 pm
weather icon
2° | 6°°C 0 mm 0% 4 mph 89 % 1024 mb 0 mm/h
Today 12:00 pm
weather icon
9° | 9°°C 0 mm 0% 2 mph 91 % 1034 mb 0 mm/h
Today 3:00 pm
weather icon
9° | 9°°C 0 mm 0% 3 mph 90 % 1033 mb 0 mm/h
Today 6:00 pm
weather icon
7° | 7°°C 0 mm 0% 3 mph 97 % 1034 mb 0 mm/h
Today 9:00 pm
weather icon
6° | 6°°C 0 mm 0% 3 mph 98 % 1034 mb 0 mm/h
Tomorrow 12:00 am
weather icon
6° | 6°°C 0 mm 0% 3 mph 96 % 1034 mb 0 mm/h
Tomorrow 3:00 am
weather icon
5° | 5°°C 0 mm 0% 3 mph 95 % 1033 mb 0 mm/h
Tomorrow 6:00 am
weather icon
5° | 5°°C 0 mm 0% 3 mph 96 % 1034 mb 0 mm/h
Tomorrow 9:00 am
weather icon
5° | 5°°C 0 mm 0% 3 mph 96 % 1034 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€93,945.58
0.00%
Ethereum(ETH)
€3,110.21
-0.60%
XRP(XRP)
€2.74
9.37%
Tether(USDT)
€0.97
-0.01%
Solana(SOL)
€181.37
-0.62%
Dogecoin(DOGE)
€0.343584
0.74%
USDC(USDC)
€0.97
0.00%
Shiba Inu(SHIB)
€0.000020
-1.33%
Pepe(PEPE)
€0.000016
-1.99%
Peanut the Squirrel(PNUT)
€0.54
-9.23%
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top