Fake PCI DSS scan alerts Customers of security firm Trustwave are being targeted by a phishing campaign that masquerades as a PCI DSS compliance scan, the company has warned.The company said the phishers had copied the template of a real Trustwave scan notification, using it to serve Blackhole Exploit Kit sites targeting common Java, Flash and Reader exploits to infect victims with the Cutwail bot.As Trustwave notes, Cutwail has been used in recent weeks to target brands such as Facebook, AT&T, Verizon and UPS – pretty standard targets for any phishing gang – although diversifying to specialist security vendors is an interesting development.Trustwave hasn’t indicated how it detected the emails and what portion of its customer base might have received it, but the obvious target is the retail sector that would carry out PCI scans. A spokesperson said it was the first time the company had been targeted. The main purpose of Cutwail is to recuit more clients for its spam system, but once a system has been compromised in principle other forms of malware could be installed at some point.“This type of campaign is vintage Cutwail, we see variations of this daily. The timing is uncanny; yesterday we released our annual Global Security Report which highlighted Cutwail as a major distributor of malicious spam,” said Trustwave. The clever part of the campaign is that phishing once directed against consumers is now being wielded to get behind the defence of large organisations where, paradoxically, its turned out to be hard to defend against.Assuming the email gets through, the Trustwave phish looks highly convincing for an admin already expecting to receive such notifications; only the lack of a target name betrays it.“These realistic-looking malicious spam campaigns are a major threat. Organizations should be looking at multiple defensive layers to counteract this threat, including secure email gateways, secure web gateways, anti-virus, and last but not least, user education,” said Trustwave. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe