Phishing Campaign Revealed After 5 Years of Tricking Computer Users with “HR”-Style Emails

Jul 27th 2014 - by Fix My PC FREE in: Blog PC Protection News | 0 Comment


Malware may reinstall itself multiple times if you don't delete its core files. This may require tracking down dozens of files in different locations.

We recommend downloading Restoro to eradicate Malware for you (it should cut down the time to about 15 minutes).

>> Download Restoro <<
Phishing Campaign Revealed After 5 Years of Tricking Computer Users with “HR”-Style Emails

Phishing is one of the deadliest PC threats out there today.

Phishing involves tricking someone into divulging personal information – like account usernames or passwords.

Today’s best phishers are trained professionals with decades of experience luring people online. They know exactly how to trick people, misdirect them, and extract the information they need. That’s what makes them so scary.

Recent PC security news has brought phishing to the forefront once more.

Security researchers at Cyphort have recently discovered a phishing system that has been active for the last five years.

This phishing system has targeted users who work in specific industry sectors. Over the past five years, it has stolen data for use in fraud and other nefarious purposes.

Specific targeted sectors include finance, sales, and HR departments at companies in the energy, education, and insurance sectors. Reportedly, even a few charities have been targeted as part of the attack.

phishing 3

The phishing attack is called NightHunter

As if the phishing attack wasn’t scary enough, it’s been given a really scary name: NightHunter. Here’s the important things you need to know about NightHunter:

-It extracts data through emails and email attachments

-It uses multiple keyloggers – including Predator Pain, Limitless, and Spyrix – to steal login credentials from users

-Keylogger applications can also perform further tasks, including clearing browser data, disabling software products, obfuscating data, and taking screenshots of the computer

-It spread using innocent-sounding emails with vague, HR-related subject headings like “Jobs List”, “PO”, “Order”, and “Inquiry”

-After opening the email, users were prompted to download malicious files with types like .DOC, .ZIP, and .RAR

-When these files were downloaded and activated, a .NET binary would steal user credentials and immediately send them to a remote email server

phishing 2

300,000 samples stolen over 5 years

Security researchers have tracked NightHunter using Gmail servers, which is where the data was temporarily stored after it was stolen.

300,000 samples have been spotted in total on Google’s Gmail servers, which means that approximately 300,000 data points were stolen from users over the past 5 years.


Why Gmail?

Gmail was used for a few different reasons. One major reason is that corporate servers have typically whitelisted Gmail traffic , which makes it easy to send large volumes of emails to and from Gmail without detection.

Another reason why attackers used Gmail is its popularity: people generally don’t think twice when they see an email from Gmail appear in their inbox, nor would server admins think twice when they see traffic going to and from Gmail servers.

Both of these qualities played a huge role in the success of NightHunter.

gmail-logo (1)

Don’t trust any emails – even ones with innocent subject headings

One of the major reasons NightHunter succeeded was because it used innocuous subject headings.

Picture this: you come into work on Monday morning. You’ve only had one cup of coffee. You open your work email account and see a notice from your boss, a message from HR, and an email about pay slips with a document attached.

Any of those messages could contain the phishing virus.


NightHunter was so successful because it avoided the tropes of phishing. It didn’t send emails featuring “urgent messages” from your bank, for example, nor did it ask for money for a Nigerian prince.

Check out some of the email examples on this page and you’ll see why it was so successful. Even tech-oriented people would likely fall for many of these emails.

The most common NightHunter subject headings were as follows:


-Jobs List


-Reconfirm Pls

-Payment Slip



-Remittance Payment Slip

Meanwhile, the most common credentials stolen were for Google accounts, Facebook, Dropbox, Yahoo, Hotmail, Amazon, Skype, LinkedIn, and various banks

Next time you download an email attachment, make sure you know exactly who it came from and why they sent it to you – especially if you’re at work. If you’re ever unsure, email the person back and ask them why they sent a .rar document or some other suspicious file type.

Nighthunter-4 Nighthunter-3 Nighthunter-2 Nighthunter-1

No Comment

Leave a Reply

Name Required