Whenever Rishsec spots a new Bugcrowd Relay email quietly sitting in her spam folder, her instinct is immediate — ”Let’s investigate.”
Blue cap on, Threat Intelligence mode: switched on.
Welcome to my blog — back after a short break. Today, we’re taking a closer look at the latest updates in Bugcrowd Relay scams. In case you missed it, I’ve linked the previous blog where we discussed the reasons behind these emails and broke down their methodology.
This time, we’re going a step further — comparing the newly evolved themes and analyzing which ones are psychologically more likely to succeed. It’s a fascinating shift, and it says a lot about how tactics evolve over time.
Without further delay, let’s dive right in.
Different themes:
To summarize, we saw three different themes, one proposing a quote for purchase, one being about a lawsuit suggesting out of court mediation, targeting Brazilian Federal Revenue, and jackpots. I believe there are more themes, but I’ll probably keep it for blog #3.
Theme 1: Quote and Invoices
Every email follows a subject with a particular email address that is relayed via this bug bounty platform, and addresses my email, followed by the intended subject as it is supposed to be. For the other themes, I’ve added other theme subjects as texts, because it was too much of the redacting process for me.
Figure 1: Email body format of the relayed phishing theme.
Let’s start discussing some interesting pointers for this theme:
- Adding a quote number (also the victim number to keep a track?)
- Requests your Pix keys for payment, a PIX key is a unique identifier used in Brazil’s instant payment system, PIX, to simplify payments. It’s like a nickname for your bank account that you can use instead of entering full banking details. PIX keys can be your phone number, email address, CPF (taxpayer ID), CNPJ (company tax ID), or a random key.
- Some of the mentions of the domain mentioned in this campaign has prompted random users to download different applications, namely AndroidStudio, Winrar, etc. That said, the URL strings are in Latin American language.
- Indicating more and more users are being targeted, irrespective of the region and presence, but the cybercriminal origins are clear.
Figure 2: Phishing link cleverly embedded in the body of the email.
Theme 2: Legal action from the clients of my company.
Firstly, looks clearly a scam since 88 clients of my company? As I don’t own a company, yet, it suggests poor reconnaissance. The 48-hour waiting period is also a typical tactic to pressure victims.The sender appears to have no legitimate connection to the company they’re supposedly representing.
Figure 3: I don’t even have 88 clients of my company- yet.
Theme 3: Phishing emails targeting Brazilian Federal Revenue
They mention about a deadline to pay the Income Taxes, where I don’t have a source of income, yet! However, things get interesting here where we get access to a chatbot hosted on an AWS instance. Currently this page redirects to error[.]php, from IP 165[.]154[.]213[.]117.
Figure 4: Phishing emails relayed through an alleged malicious government of Brazil federation.
Theme 4: Jackpot Foundation, Anyone?
In this case a news piece was leveraged to spread the phishing campaigns and build credibility, which can trick suspicious people who perform a quick online check. The email came from one domain and is redirecting victims to the other.
As usual, we do know why there is a winner code (to track the responding victims, ofcourse), and lastly, wherever money or financial transactions are involved, it is likely to harvest your sensitive information and financial details.
Figure 5: Phishing emails impersonating Mrs. Mavis Wanczyk, winner of Powerball Jackpot.
Conclusion
In conclusion, I’m concerned how the themes are evolving in various ways by utilizing different themes, some being region specific or popularity news bytes. This involved use of free hosting sites, originating emails from one domain while redirecting victims to another to evade detection, and tracking mechanisms like “winner codes”. While more themes will be seen coming, the core objective stays the same, to exploit human psychology and technical vulnerabilities to harvest sensitive personal and financial information.
IOC List
