Social Engineering Campaign Targets Auto Dealerships: What You Need to Know

An unknown threat actor suspected to be in Poland has been targeting auto dealerships in a social engineering campaign. Here’s what we know.

How does the campaign work?

The threat actor contacts the auto dealership’s sales team through email communication and provides a malicious link stating they are interested in buying a vehicle. If interacted with, the link downloads a malicious VBScript.

Nuspire was able to obtain a sample of the VBScript and analyze its behavior. If the script is executed, it modifies the victim PC’s browser phishing filter, installs Remcos malware, detects storage devices and attempts to interact with them, likely to execute ransomware

What indicators of compromise (IOCs) were detected?

Indicators of compromise (IOCs) are pieces of data that indicate a potential attack. Here are the specific IOCs for this social engineering campaign:



IP Addresses

Where is this happening?

The victims of known attacks reside in Germany, Slovakia, Hungary and the Czech Republic. While as of writing, there is no known U.S.-focused campaign, these tactics could easily be applied, so it’s important auto dealerships stay vigilant.

What is Nuspire doing?

Nuspire is actively threat hunting client environments for indications of compromise, and will continue to report on any new developments to help you stay ahead of these types of attacks.

What should I do?

Nuspire recommends auto dealerships do the following to protect themselves from these types of social engineering campaigns:

  • Provide your organization with end user awareness training, and make sure to focus on phishing, as that is the main tactic used in this campaign.
  • Look into leveraging an EDR solution with behavior analysis and heuristics to detect malicious behavior and block it.

Have you registered for our next event?