In a concerning escalation of phishing tactics, hackers are spoofing the United States Social Security Administration (SSA) to distribute the ConnectWise Remote Access Tool (RAT), a campaign uncovered by Cofense Intelligence. The campaign leverages sophisticated brand impersonation techniques and advanced evasion methods to compromise victims’ devices and steal sensitive information.
The campaign, which began in September 2024 and ramped up significantly in November 2024, targets unsuspecting users by mimicking official SSA communication. Emails claim to provide an updated benefits statement and include a link masked as an official SSA webpage. However, clicking the link downloads a ConnectWise RAT installer, giving attackers control over the victim’s system.
“The campaign’s emails have evolved since then and now feature more deceptive email spoofing techniques, evasion tactics, and credential phishing attempts,” notes the report.
Attackers employ SSA-branded logos and imagery to lend credibility to their emails. By pairing these with mismatched links—text that appears to lead to official sites but actually redirects to malicious domains—they create convincing phishing attempts.
A particularly alarming tactic involves one-time use payloads. First-time visitors to the malicious link are redirected to the RAT installer, while subsequent visits lead to legitimate SSA pages. This tactic uses browser cookies to identify repeat visits, effectively bypassing security researchers and automated defenses.
Once the malware is delivered, victims are often redirected to phishing pages requesting personal and financial information, including:
- Social Security Numbers
- Mother’s maiden name
- Phone carrier PINs
- Credit card details
“By requesting this information, the threat actors can commit identity fraud themselves or sell the information for other threat actors to use,” the report highlights. Novel fields like the mother’s maiden name and phone carrier PIN indicate an intent to perform account takeovers, including transferring phone numbers to attacker-controlled devices.
Earlier iterations of this campaign relied on ConnectWise’s infrastructure for command-and-control (C2) operations, but later versions use dynamic DNS services and attacker-hosted domains.
Additionally, follow-up tasks embedded in the phishing emails, such as an “I Have Opened the File” button, prompt victims to take further steps that increase their exposure to attacks. Clicking this button redirects users to credential phishing pages, compounding the damage.
The report warns, “This intelligence report serves to provide updates on the changing tactics, techniques, and procedures (TTPs) used by this campaign and provide additional in-depth analysis on this threat’s relevance in the current political climate.”
