Hackers are at it again. This time attacking in multiple packs, successfully compromising the corporate email accounts of at least 156 executive officers, their latest prey. These officers are from various companies based in the UK, Germany, the Netherlands, Hong Kong and Singapore. These hacker packs have so far targeted executives from more than 150 companies. Group IB Threat Intelligence Team  told The Hacker News, that primarily these businesses were from finance, law and real estate.

phishing example


The hacker packs cyberattack campaign, is nicknamed the “PerSwaysion” and is a highly targeted phishing attack. In order to launch at it prey, it leverages off Microsoft file-sharing services—including Sway, SharePoint, and OneNote. Their kill so far being “more than 20 Office365 accounts of executives, presidents, and managing directors,” says Group IB. This phishing attack, like most, aims to steal Microsoft Office 365 credentials.


The PerSwaysion packers mainly consist of Nigerians and South African scammers using Vue.js JavaScript framework-based phishing kit. This kit was developed by and rented from Vietnamese speaking hackers.


As part of the PerSwaysion operation the attackers pick a legitimate cloud-based content sharing device such as Microsoft Sway, Sharepoint and Onenote. This enables them to go undetected. For example, fraudulent emails were sent to lure the victims with a non-malicious PDF attachment containing ‘read now’ link to a file hosted with Microsoft Sway. The carefully assembled Microsoft Sway page contains another “read now” link (the trap). This trap redirects you to a phishing site that’s waiting for you to pop in your email account credentials or confidential information.


They have got you! And consequently, the attackers start downloading your data from the server. Then they impersonate you in order to target other people you’ve had recent contact with. These include business executives within the organisation, people that also hold important key decision-making roles.


Finally, as if they have already wounded you enough! They generate new phishing PDF files with the victim’s full name, email and legal company name. These PDF’s are then emailed to all your external partners. Those that also hold important positions within other organisations. Deleting the fraudulent emails from your sent items, to avoid detection as they go.


The evidence suggests that scammers are using LinkedIn profiles to scope their potential victims and their roles within a company. This firstly this makes it difficult for co-workers to recognise any early warnings you are being attacked. In turn it increases the rate of success for the new phishing cycle within an organisation.


How are these attackers now using any of your compromised corporate data? Researchers are saying perhaps it being ‘sold in bulk to other financial scammers to conduct traditional monetary scams.’


Are expecting an attack or believe it’s highly likely your email was already compromised as part of the PerSwaysion? – Group-IB has set up an online web-page for you to check.


If you have an important decision- making role within your organisation, being a target for these hacker packs is now inevitable. The best defence is education, educate yourself with their tactics or alternatively talk to an IT expert.