Researchers at Inky Technology Corp. have uncovered a sneaky new phishing campaign that involves the use of a math symbol in the Verizon logo.

The Verizon impersonation campaign, revealed today, was spotted in dozens of fake emails sent from various Gmail addresses during a two-week period between Sept. 1 and Sept. 13. Instead of using the “V” symbol at the end of the Verizon logo, the common theme was using close alternatives such as a stylized square root/radical symbol that has a passing resemblance to the proper Verizon logo.

The researchers explain that despite the money major brands spend on logo design, people often forget them. That plays into the hands of phishers, who can deceive their victims with made-up logos that look about right. The graphics may be off, but they do the job. It’s also noted that Verizon has changed its logo a couple of times since Bell Atlantic Corp. was renamed Verizon in 2000.

The attack flow phishing emails used three variations on the Verizon logo: the stylized square root, a logical NOR operator and the checkmark symbol itself but in a different location. Each email had a malicious link to a credential harvesting site that targeted Microsoft Corp. Office 365 users.

All three types masqueraded as voicemail notifications. Verizon provides voicemail services, including notifications, via email, playing into the potential to deceive potential victims. The phishers also stole separate HTML and CSS elements from Verizon’s real site to create a custom job that sometimes included a correct version of the logo.

Upon clicking on the malicious link, those targeted were taken to a fake site that asked them to enter their Microsoft credentials.

The phishers are said to have sent the phishing emails from Gmail accounts because they could pass standard email authentication such as SPF, DKIM and DMARC. Since the malicious link was brand-new and presented no zero-day vulnerabilities, the emails were not picked up by legacy anti-phishing tools.

Email recipients are being advised to be suspicious of voicemail notifications coming from Gmail or other free email providers such as Yahoo, AOL or Hotmail. They should also distrust emails that claim to be from Verizon but come from a Gmail sender.  

Images: Verizon/Inky