Immigration sponsors in the United Kingdom are under attack by a phishing scam emanating from the Home Office.
In a concerning development, an active phishing campaign has been impersonating the UK Home Office to compromise organizations licensed to sponsor foreign workers and students. This campaign, which has been gaining traction since July, has been targeting companies across all industries and sectors.
The threat actors behind this operation demonstrate an advanced understanding of government communication patterns and user expectations within the UK immigration system. The attacks are designed to closely mimic official UK Home Office communications and web pages, making it easier for unsuspecting victims to fall prey.
The campaign begins with target organizations receiving emails containing urgent alerts around Sponsorship Management System (SMS) notifications or system alerts requiring immediate attention. These emails lead to fraudulent login pages designed to prompt users into entering their SMS authentication credentials.
To add an extra layer of deception, clicking the link in the initial phishing email sends the user to a CAPTCHA-gated URL, acting as a filtering mechanism. Once the user verifies their identity, they are redirected to a phishing page that closely replicates the authentic SMS interface. This is achieved through direct copying of the official SMS login page HTML, hotlinking of official assets, and minimal but critical changes to the form submission process.
Once the attackers have captured the SMS credentials, they engage in a range of monetization schemes. These include selling access to compromised accounts on dark web forums, conducting extortion schemes against affected organizations, facilitating fraudulent Certificate of Sponsorship (CoS) issuance, and creating fake job offers and visa sponsorship schemes via seemingly legitimate visa documents.
The cybersecurity company that investigated the phishing campaign is Push Security. On July 10, the Home Office issued a notification, warning of phishing scams that could compromise SMS account security. The Home Office also advised organizations to be vigilant and to report any suspicious emails or activities to the authorities.
To protect against such attacks, Mimecast advises UK organizations holding sponsor licenses to deploy anti-phishing tools that can detect government impersonation attempts and suspicious URL patterns. The Mimecast report, published on August 12, lists common subject lines used in the phishing emails, such as 'A new message has been posted to your Sponsorship Management System' and 'Message Notification from SMS'.
In addition, firms should also implement URL rewriting and sandboxing to analyze links before user interaction takes place. These measures can help prevent the successful execution of phishing attacks and protect organizations from potential data breaches and financial losses.
