- Fake Boots emails reached 8.9 million addresses through a massive phishing campaign
- Hackers used a government website to host their fraudulent Boots checkout page
- Romanian attackers turned a compromised business server into an email distribution platform
Millions of UK shoppers were exposed to a fake Boots promotion after hackers sent emails offering a free beauty sample pack through a large phishing campaign.
The operation used a fake customer survey to collect personal details while directing victims toward a fraudulent checkout process requesting sensitive information.
Researchers from Huntress claim, the campaign involved 8,894,920 email addresses and infrastructure connected to Romanian-speaking threat actors.
A fake Boots offer backed by a large phishing operation
The emails appeared to come from Boots and encouraged recipients to complete a short survey in exchange for a beauty sample package and promotional benefits.
The campaign relied on familiar branding to make the message appear legitimate while directing users to a cloned website designed for information collection.
The fake page requested details including names, email addresses, dates of birth, phone numbers, and home addresses, before reaching payment information.
Huntress found that the phishing content was hosted on a compromised Bolivian government website belonging to IPELC, rather than an attacker-controlled domain.
They placed the phishing kit inside a hidden directory on the legitimate government domain to benefit from its existing reputation.
The email campaign was sent using Gammadyne Mailer, a legitimate bulk mailing app that attackers installed on a compromised UK business terminal server.
The server was not used to deploy ransomware or steal files from that business, but instead acted as a…
