Mimecast identified a phishing campaign targeting UK organizations sponsoring migrant workers and students, exploiting Home Office branding within the Sponsorship Management System (SMS) to compromise credentials for financial exploitation and data theft.
Cyber criminals are exploiting Home Office branding in a newly identified phishing campaign, targeting holders of UK immigrant sponsor licenses participating in the government’s Sponsorship Management System. This system is primarily designed for employers sponsoring visas in the Worker and Temporary Worker categories, as well as institutions sponsoring visas in the Student and Child categories. Its core functions include managing the creation and assignment of sponsorship certificates for prospective employees or students, and reporting changes of circumstances for sponsored immigrants.
The campaign, identified by Samantha Clarke, Hiwot Mendahun, and Ankit Gupta of the Threat Research Team at Mimecast, an email security specialist, appears to primarily seek to compromise credentials for subsequent financial exploitation and data theft. The Mimecast team stated that this campaign presents a significant threat to the UK immigration system, with attackers attempting to compromise access to the Sponsorship Management System for extensive financial and data exploitation.
The threat actors deploy fraudulent emails that impersonate official Home Office communications, typically sent to general organizational email addresses. These emails contain urgent warnings about compliance issues or account suspension and include malicious links that redirect recipients to convincing fake SMS login pages designed to harvest User IDs and passwords.
The systematic nature of the campaign begins with phishing emails that initially appear to closely mimic a genuine Home Office notification. These messages are presented as urgent notifications or system alerts requiring prompt attention. However, their true purpose is to direct users to fake login pages to capture the victims’ SMS credentials. A deeper technical analysis conducted by the Mimecast team revealed that the perpetrators are employing captcha-gated URLs as an initial filtering mechanism.
This is followed by redirection to attacker-controlled phishing pages, which are direct clones of the genuine article. These cloned pages incorporate pilfered HTML, links to official UK government assets, and minimal yet critical changes to the form submission process. The Mimecast team noted that the threat actors demonstrate advanced understanding of government communication patterns and user expectations within the UK immigration system.
The objective of this phishing attack appears to be twofold, targeting both organizations legitimately sponsoring immigrants to the UK and the immigrants themselves. Once the primary victims’ SMS credentials are compromised, the attackers pursue multiple different monetization objectives. Chief among these objectives appears to be the sale of access to compromised accounts on dark web forums to facilitate the issuance of fake Certificates of Sponsorship (CoS). Additionally, the attackers conduct extortion attacks directly on the organizations themselves. A more obscured, and potentially more profitable, avenue for exploitation involves the creation of fake job offers and visa sponsorship schemes. Individuals seeking to relocate to the UK have reportedly been defrauded of up to £20,000 by these cyber criminals for what appeared to be legitimate visas and job offers that never materialized.
Mimecast has implemented comprehensive detection capabilities for its customers who may be at risk from this phishing campaign. The firm’s email security platform is designed to detect and block incoming emails associated with this activity, and Mimecast continues to monitor for any further developments. Organizations utilizing the SMS service should consider implementing several protective measures. These include deploying email security capabilities to detect government impersonation and suspicious URL patterns, and implementing URL rewriting and sandboxing to analyze links prior to user interaction.
It is also advised to establish and enforce multifactor authentication (MFA) on SMS access, rotate these credentials frequently, and monitor SMS accounts for unusual access patterns or login locations that appear inconsistent. Organizations should engage individuals with SMS access on genuine Home Office communications and official email domains, emphasizing the importance of verifying urgent notifications before taking action. This should be coupled with general phishing-awareness training and simulations. Additionally, setting up verification procedures for SMS-related communications, incorporating SMS compromise into incident response protocols, and segregating SMS duties where possible can help mitigate single-point-of-failure scenarios. The Home Office has been contacted for comment regarding this campaign.
