On May 17th, Avanan researchers noticed a spike in phishing emails containing links to a particular subdomain of GameStop.com. GameStop is an American gaming company that has recently become the internet’s darling as a global finance phenomenon. GameStop is using a service called Movable Ink to send out their marketing content and the parked URL for this service is http://mi.gamestop.com/. Movable Ink offers its customers a way to send out unique visual marketing content that is tailored to every recipient. Movable Ink URLs are spotted across our customer base being used by many different brands, but only in the case of GameStop have we seen an excessive amount of them in phishing emails. 

Across our entire customer base, we spotted over 300 emails containing links to http://mi.gamestop.com/. Here are a few of them [censored to protect customer privacy]:

 

 

Another common thread found in these attacks is a reference to a seemingly legitimate business PC repair called EasyPC123, although they do not have an extensive web presence beyond their company website. 

Here are some examples of these attack emails:

 

 



 

As you can see from the screenshots, these phishing emails range in various different common styles and sophistication. The sender for these phishing emails vary from case to case, but there are a few common ones that we believe are either compromised email addresses, spoofed supply chain vendor addresses, or throwaway email addresses hosted by the attackers.

 

support@newaccount1618851988770.freshdesk.com

98

info@inaigem.gob.pe

52

support@newaccount1620671827628.freshdesk.com

18

info@something5505.co.jp

6

maruchan1127@kta.biglobe.ne.jp

4

sales@relayninjas.com

4



The links that were sent to all these users have since been taken down and now only redirect to the GameStop homepage. We are unable to confirm whether these links hosted any malicious content because, at the time of discovery, these links merely redirected users to a blank page. It is possible that that blank page would soon go live with malicious content once the attackers have confirmed their emails were delivered to the mailboxes of a lot of users.

These links have not been seen in phishing emails since May 18th. Avanan is not sure whether it was GameStop or Movable Ink that was compromised to launch this sophisticated phishing campaign, but it appears that they have patched whichever service allowing this exploit.

None of these emails made it through to a user’s inbox for Avanan customers who are using inline mode but they did make it past various SEGs, EOP, and ATP. This attack campaign highlights the need for Avanan’s sophisticated security solution. Avanan offers security from targeted phishing emails such as these by using best-of-breed NLP, AI, and ML. Other CESS vendors, who might also be using the above methodologies to fight phishing, are not inline and therefore cannot prevent the emails from being delivered to an end-user’s inbox. As you can see from the email screenshots, these emails are very well crafted and you can hardly blame unsuspecting users from clicking on the links at first sight which highlights the importance of making sure these emails never make it to a user’s inbox/junk.

Subscribe to Our Attack Briefs for More Research