Cybercriminals are actively engaging in a sophisticated phishing campaign targeting users of the popular marketing and sales platform, HubSpot. This attack combines advanced social engineering tactics with compromised website infrastructure to steal the credentials of unsuspecting marketing professionals and business teams. The primary goal is to gain unauthorized access to sensitive HubSpot accounts.
The campaign, detailed by researchers at Evalian, begins with deceptive emails designed to look like legitimate communications from business associates. These messages prompt recipients to log into their HubSpot accounts immediately, often citing a fabricated reason such as an unusual increase in unsubscribes for marketing campaigns. The attackers are leveraging MailChimp, a widely recognized email marketing service, to distribute these phishing messages at scale, aiming to bypass standard email security filters by exploiting the platform’s trusted reputation.
Sophisticated Phishing Tactics Targeting HubSpot Users
A key element of this phishing campaign’s success lies in its unconventional approach to embedding malicious links. Instead of placing the URLs directly within the email body, the attackers embed them within the sender’s display name. This deceptive technique is particularly effective as many email security systems are configured to scan the content of messages for threats, often overlooking or not adequately scrutinizing the sender’s name field. This allows the malicious links to evade detection by automated security controls.
The phishing emails also benefit from being sent from compromised legitimate business domains. This provides a veneer of authenticity, making the messages appear credible to both automated email filtering systems and, crucially, to human recipients. When a user clicks on the malicious link embedded in the sender’s name, they are redirected from a seemingly legitimate, but compromised, website. This webpage is crafted to direct the victim to a convincing fake HubSpot login portal.
The infrastructure hosting these fake login pages has been linked to Proton66 OOO, identified as a Russian bulletproof hosting provider. Specifically, the infrastructure is associated with ASN AS 198953. In this elaborate scheme, once a user enters their login credentials into the fraudulent portal, this sensitive information is captured by attackers and transmitted to a file named “login.php.” The visual design of both the phishing email and the replica login page meticulously mirrors HubSpot’s legitimate interface, further enhancing the illusion of legitimacy and increasing the likelihood of a successful credential theft.
Investigating the Hosting Infrastructure
The modus operandi of this attack centers on harvesting valid user credentials rather than deploying traditional malware to victim devices. The hosting infrastructure employed by the attackers utilizes a Plesk-managed virtual private server. Researchers have noted the presence of exposed mail services, including Postfix and Dovecot, which are commonly used for sending and receiving emails.
Analysis of the associated IP address, 193.143.1.220, revealed an unusually broad range of open ports. These include standard email ports such as SMTP on ports 25 and 465, and IMAP on ports 143 and 993. Additionally, multiple Plesk administrative interfaces were found to be exposed. This type of configuration is indicative of infrastructure designed for the rapid deployment and frequent rotation of phishing campaigns, allowing attackers to quickly change their online presence to evade detection.
The exposed Plesk control panels provide attackers with the capability to swiftly deploy new phishing pages, manage any compromised email accounts associated with the infrastructure, and continuously rotate their hosting resources. This agility makes it more challenging for cybersecurity professionals to track and disrupt their operations. Ongoing infrastructure analysis has confirmed that this IP address is implicated in multiple other phishing attempts, suggesting a pattern of organized and persistent attack activity against various targets.
In light of these evolving threats, organizations are strongly advised to implement layered security measures. These measures should extend beyond standard email authentication protocols to form a more robust defense. Businesses heavily reliant on platforms like HubSpot should consider advanced threat detection solutions and user education programs to mitigate the risk of successful phishing attacks. As cybercriminals continue to refine their techniques, vigilance and proactive security strategies are paramount.