Overview

• The campaign impersonates official Home Office communications to trick licence holders into revealing their Sponsorship Management System login details.
• Attackers employ CAPTCHA-gated URLs and cloned SMS login pages with hotlinked government assets to filter targets and harvest multi-factor authentication codes.
• Mimecast recorded roughly 8,000 related emails in early July and identified about 2,500 more attacks in the first week of August as the fraud intensified.
• Harvested credentials are sold on dark-web forums, used to issue fake Certificates of Sponsorship and to run visa and job scams charging victims up to £20,000.
• Mimecast has activated detection and blocking capabilities for its customers and advises sponsors to adopt MFA, URL rewriting, phishing training and strengthened incident response.