On 13 Oct 2020, Network Solutions made some changes to their email services that resulted in a disruption for many people. [Learn More] The change had to do with a new certificate being used.

In the immediate wake of that event last week and the residual confusion, it seems that someone has launched a sophisticated email phishing scheme targeting Network Solutions email customers, and referencing the email certificate issue from last week. The message attempts to convince users to login with their email and password through an imposter website that collects account information.

Part of what makes this phishing scheme so effective and devious is that it leverages customer expectations. One expects to receive and email from Network Solutions notifying them of the email certificate problem.

However, Network Solutions did not sent out any notice to customers. So, the only message they will receive is this fake one which adds to the creditability. If Network Solutions had preemptively sent out a notification to their customers, then subsequent fake emails would be more easily ignored.

Phishing Email Sample

Here is an example of the email being sent out. The sender address for this example was [email protected] which is an indicator that the email isn’t legitimate.

Fake Login Page

If you click on the link in the email above, you are taken to a website address that begins with firebasetorage.googleapis and includes netsoll in the address which is a misspelling of NetSol, and older brand identification for Network Solutions. What’s interesting about the login portal below is that the design is an older one used previously by Network Solutions, but it does not look like the current Network Solutions email login.

Similarities to Other Phishing Emails

The use of the firebasetorage.googleapis.com website seems to be common in phishing emails, as explained by TrustWeb. [Read More] A similar scam used Microsoft’s trusted OneDrive file sharing service. This typically evades detection by security software because the hosting sites are considered trusted.

“Credential phishing is a real threat that’s targeting organizations globally. Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.”

[Source: TrustWave]