We've recently observed a rise in sophisticated phishing attempts aimed at organizations. These efforts are often disguised as communications from trusted entities — most recently, the Israel Defense Forces (IDF) — to gain unauthorized access to systems. It's important to stay vigilant against these deceptive tactics that may direct you to download harmful software.

How the phishing attempt works

These phishing attempts may direct users to download files supposedly containing emergency instructions. In some instances, the links lead to the installation of legitimate RMM software, such as the Atera agent, for illegitimate purposes. Typically, the deceptive installation files are hosted on credible services like Onehub, making the phishing attempt seem more plausible. While there may be other addresses, we know that this is one of the email addresses behind the phishing campaign: idfalert@miraclecenter[.]org

Impersonation email example

What you can do

To safeguard your information and infrastructure, we recommend heightened caution with email communications:

• Always verify sender identity: Scrutinize the email's origin and check for inconsistencies in email addresses that might indicate impersonation.
• Examine content carefully: Look out for spelling mistakes or grammatical errors — often red flags in fraudulent messages.
• Be cautious when asked to download something: Avoid downloading files or installing software via email links unless absolutely certain of their legitimacy.
• Do not share sensitive information: Never provide passwords or sensitive data in response to an email request.
• Use secure communication channels: Confirm requests through known, secure channels outside of the initial email communication.

Indicators of compromise (IOCs) to block

To protect your systems against this phishing scam, here are specific URLs, emails, and IP addresses identified as risks that you must block:

• hxxps://ws[.]onehub[.]com/files/rw1n5ova
• hxxps://ws[.]onehub[.]com/files/myl7pi36
• hxxps[://]ws[.]onehub[.]com/files/7zxtjnuq
• hxxps[://]ws[.]onehub[.]com/files/7gxjdunb
• hxxps[://]ws[.]onehub[.]com/files/flc85rox
• hxxps[://]ws[.]onehub[.]com/files/g53nogxt
• hxxps[://]ws[.]onehub[.]com/files/8dv4x5au
• hxxps[://]ws[.]onehub[.]com/files/lhtyczeu
• hxxps[://]ws[.]onehub[.]com/files/f1z2yhg4
• hxxps[://]ws[.]onehub[.]com/files/kebagyp6
• hxxps[://]ws[.]onehub[.]com/files/xoihhowz
• hxxps[://]ws[.]onehub[.]com/files/q387wpdg
• idfalert@miraclecenter[.]org
• alfered[.]herndez@emailband[.]com
• pitter.holand@emailband[.]com
• frank.gustago@britishemailbox[.]com
• paul.fraxom@yzistanbul[.]me
• sarah_harison@emailband[.]com
• yqpocd55wchg@solerbe[.]net
• abraham.davis@veryberrymail[.]com
• 1vf5mpi5iyis@upsnab[.]net
• bc7bmwbcxyxe@corhash[.]net

• 185.213.154.225

Note:

• For security reasons, we've intentionally altered the URLs and emails by inserting parentheses to prevent them from being active links. This measure ensures safety while handling this information.
• Please return to this list over the next few days as we'll update this list throughout the course of our investigation.

Atera's role and our commitment

While phishing campaigns might misuse legitimate software, our commitment to security remains steadfast and strong. We're vigilant in monitoring threats and providing support to ensure the safe use of our platform.

Need help or have questions?

If you suspect you've encountered a phishing attempt or have already interacted with one, please contact us

Our team is ready to assist with security checks, preventive measures, and further guidance on protecting your digital environment.