Rss

Archives for : PHISHING SCAMS

Google: Our hunt for hackers reveals phishing is far deadlier than data breaches

Phishing attackers just love using Gmail.

googleidtheft-chart-image-www-scamsfakes-com

Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches, because of the additional information phishers collect.

Hardly a week goes by without a new data breach being discovered, exposing victims to account hijacking if they used the same username and password on multiple online accounts.

While data breaches are bad news for internet users, Google’s study finds that phishing is a much more dangerous threat to its users in terms of account hijacking.

In partnership with the University of California Berkeley, Google pointed its web crawlers at public hacker forums and paste sites to look for potential credential leaks. They also accessed several private hacker forums.

The blackhat search turned up 1.9 billion credentials exposed by data breaches affecting users of MySpace, Adobe, LinkedIn, Dropbox and several dating sites. The vast majority of the credentials found were being traded on private forums.

Despite the huge numbers, only seven percent of credentials exposed in data breaches match the password currently being used by its billion Gmail users, whereas a quarter of 3.8 million credentials exposed in phishing attacks match the current Google password.

The study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that falls to 10 times for victims of a data breach. The difference is due to the type of information that so-called phishing kits collect.

Phishing kits contain prepackaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking. They’re often uploaded to compromised websites, and automatically email captured credentials to the attacker’s account.

Phishing kits enable a higher rate of account hijacking because they capture the same details that Google uses in its risk assessment when users login, such as victim’s geolocation, secret questions, phone numbers, and device identifiers.

The researchers find that 83 percent of 10,000 phishing kits collect victims’ geolocation, while 18 percent collect phone numbers. By comparison, fewer than 0.1 percent of keyloggers collect phone details and secret questions.

The study finds that 41 percent of phishing kit users are from Nigeria based on the geolocation of the last sign-in to a Gmail account used to receive stolen credentials. The next biggest group is US phishing-kit users, who account for 11 percent.

Interestingly, the researchers found that 72 percent of the phishing kits use a Gmail account to send captured credentials to the attacker. By comparison, only 6.8 percent used Yahoo, the second most popular service for phishing-kit operators. The phishing kits sent were sending 234,887 potentially valid credentials every week.

Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study. Yahoo phishing victims follow at 12 percent. However, Yahoo and Hotmail users are the largest group of leaked credential victims, both representing 19 percent, followed by Gmail at 12 percent.

They also found most victims of phishing were from the US, whereas most victims of keyloggers were from Brazil.

The researchers note that two-factor authentication can mitigate the threat of phishing, but acknowledges that ease of use is an obstacle to adoption.

phishing-scams-signage-images-www-scamsfakes-1

Previous and related coverage

Google’s new Gmail security: If you’re a high-value target, you’ll use physical keys

Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.

Gmail Docs phishing attack: Google targets devs with tighter web app ID checks

New manual reviews for web applications may to take up to seven days

Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing

Google vows to do more to prevent a repeat of last week’s fake Docs phishing attack.

yunkl

Henry Sapiecha

Yet another Cunning Netflix Phish That Just will not Die

The email hits your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It’s not. Instead, it’s a phishing scam that collects extensive personal data on victims. But as with all of the most pernicious phishes, the problem with the Netflix phish isn’t just its convincing look—it’s that whoever’s behind it has found new ways to bypass spam filters over and over again.

netflix-phish-red-on-black-sign-image-www-scamsfakes-com

While the Netflix phish has garnered recent headlines, it dates back at least to January, when threat researchers at the security firm FireEye first detected it. It prompts victims to type in their username and password, and then presents a form to update their billing information (things like full name, date of birth, address, and phone number). After that, another form asks them to validate their payment method by entering their credit card info. Some versions of the phish even ask for a Social Security number.

Deep Deception

As with many social engineering attacks, its outward simplicity helps ensnare potential victims. Underneath that exterior, though, researchers who have tracked the campaign say that it uses a clever combination of defense measures to make it harder for spam filters, antivirus programs, and phishing scanners to flag.

Richard Hummel, the manager of technical analysis at FireEye, says that he still sees attackers using some of the same subject lines for Netflix phishing emails that they did almost a year ago. “They’re not even varying their tactics all that much,” he says. “What they’re doing is working, it’s successful. Netflix is still one of the common themes that’s used for credential theft. It’s definitely something that’s still ongoing—steady and recurring.”

While the Netflix phish is outwardly straightforward, it does include a lot of clever touches. It replicates a lot the HTML Netflix uses on its actual website, to make the fake pages look as genuine as possible. The login pages even include autofilling backsplashes that promote Netflix original content. The phishing emails also use a template system, to personalize the messages by autofilling each victim’s name at the beginning.

The evasive maneuvers go even deeper. Some versions of the campaign encrypt user-side HTML in the phishing pages, so scanners can’t inspect the code for malicious components. The phishing pages also have a defense in place where they won’t load for IP addresses that trace back to known internet security monitoring groups, like Google, or the anti-phishing initiative PhishTank. All of this makes it easier for phishers to run the Netflix scam again and again, because their infrastructure hasn’t been flagged on security and spam blacklists.

Most importantly, the Netflix phishers use a well-known technique of compromising legitimate web accounts or web servers, and hosting their phishing pages off of those services. By hosting the pages on sites that have been around for a while and weren’t previously malicious, the attackers buy time on URLs that have credibility (known online as a good reputation score) and won’t be flagged by security scanners. Analysts at the email scanning and security group MailGuard found that in this go-around the Netflix phishers have been using compromised WordPress blogs to host their malicious pages.

This type of approach can be used to launch phishing attacks based off of all different brands and services. Aaron Higbee, CTO of the phishing defense firm PhishMe, says the company has tracked the same types of phishing campaign infrastructure to impersonate brands like Chase, Comcast, TD Bank, and Wells Fargo. And he notes that the system can perpetuate itself. Some of the stolen credentials attackers get out of the scam may include reused credentials for accounts and web servers that the phishers can then compromise and use to launch more attacks.

Safety Steps

The good news is that users can protect themselves by following the standard advice about phishing. To confirm who really sent an email, click on the downward arrow next to the sender’s name in Gmail. It’ll expand to show the full info. Hover over any links to confirm that they lead to the URLs they claim. Make account changes by navigating, on your own, to a site itself, and log in there instead of going through an email link. Don’t reuse passwords. And view any emails that push you to act right away with suspicion.

“Unfortunately, these scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information,” Netflix said in a statement.

There’s a lot at stake. Researchers say that the Netflix phishers also likely sell the victim data they collect to dark-web processors looking for bulk data, credit card numbers, and even just active Netflix accounts that they can resell for a few dollars.

“There are a number of motives here,” Higbee says. “And I know I’m going to sound like a broken record, but if your email address password is the same as your entertainment passwords you’re really setting yourself up for disaster. Your email address password needs to be different even if you don’t vary all your passwords. That alone will prevent a lot of damage.”

You might as well commit those tips to memory—especially with an attack like the Netflix phish that’s been around for months, and isn’t slowing down.

www.intelagencies.com

commercial-business-loans-info-flyer-www-money-au-3

Henry Sapiecha

COMMONWEALTH BANK SLANT ON SMS & EMAIL SCAMS AUSTRALIA

Hoax alert

From time to time, we send emails and text messages (SMS) to our customers to update them with important information. Sometimes, fraudsters may send you “hoax” messages that appear to come from us, in order to trick you into revealing sensitive information. That’s why it’s important to remember that we will never send you a message asking you to confirm, update or disclose your personal or banking information. To help keep your account and personal information safe, here are some examples of hoax email/SMS, and what you should do if you receive one.

commonwealth-bank-scam-messages-images-www-scamsfakes-10commonwealth-bank-scam-messages-images-www-scamsfakes-9commonwealth-bank-scam-messages-images-www-scamsfakes-8commonwealth-bank-scam-messages-images-www-scamsfakes-7commonwealth-bank-scam-messages-images-www-scamsfakes-1commonwealth-bank-scam-messages-images-www-scamsfakes-2

How to spot a scam

SMiShing

smishing-scam-image-www-scamsfakes-com

Pronounced ‘smishing’, they are SMS messages that attempt to direct you (via a link) to a fraudulent website and request you to input your personal information. These messages typically include an urgent call to action – such as to re-verify or unfreeze an account that is ‘suspended’ or set to ‘expire’ or to claim a tax refund. SMiShing campaigns targeted at our customers would typically link to a site that asks for your client number, NetBank password, card number or PIN. The hoax SMS may try to pass itself off as a legitimate message from the bank by including our contact number, and may also spoof (fake) our sender label/ID so that the ‘from’ field reads ‘CommBank’ or ‘NetBank’.

Tips to avoid SMS scams:

  • Commonwealth Bank will never send an SMS that asks you to confirm, update or disclose personal or banking information, and most financial institutions follow the same practice. Never click on a link provided in such an SMS.
  • Instructions on how to send these messages to Commonwealth Bank for further investigation is listed below.

commonwealth-bank-scam-messages-images-www-scamsfakes-3commonwealth-bank-scam-messages-images-www-scamsfakes-4commonwealth-bank-scam-messages-images-www-scamsfakes-5commonwealth-bank-scam-messages-images-www-scamsfakes-6

Phishing

phishing-sketch-image-www-scamsfakes-com

Pronounced ‘fishing’, emails are used by fraudsters to trick people into entering their personal information, such as bank account details, on a website controlled or monitored by the attacker. The fraudster can then use this information for illegal purposes, such as transferring funds or purchasing goods. Phishing emails are often designed to imitate your most trusted service providers – a bank, cloud service provider or other financial institution, and may include links to a convincing replica home page.

Tips to avoid email scams:

  • We will never send messages via email that ask you to confirm, update or disclose personal or banking information, and most financial institutions follow the same practice.
  • Hard as they might try, these emails don’t always get the branding and design of your service provider quite right. If you’re in any way unsure about a message that purports to be from an organisation you transact with, compare it to previous correspondence from the same organisation.
  • If you’re still unsure, contact the organisation directly using a phone number from their website (not from the email) before you reply.
  • Never open an attachment that you’re unsure about as it may contain malicious software designed to infect your computer.
  • You can typically check that links in emails are legitimate by ‘hovering’ your mouse over the link to view the destination URL (web address), without risking having to click it. On your smartphone, you need to tap and hold on the link and wait for the URL to appear.
money-grubbing-hand-from-screen-image-www-scamsfakes-com

 

Do not open this text message from the Commonwealth bank ‘supposedly’

THE Commonwealth Bank is warning customers not to respond to a text message which instructs them to log into their accounts via a link provided as part of a phishing scam.

The messages have reportedly been delivered to hundreds of the bank’s customers in a series of hoax emails and SMS’ circulating throughout Australia.

Recipients were advised to “log into your account center (sic) for verifiacation (sic)” by using a link included in the hoax messages.

**These clowns scamming an Australian banks customers using the American spelling of ‘CENTRE’

commonwealth-bank-phishing-scam-request-images-www-scamsfakes-com

CommBank responded to online queries regarding the text messages.

“Yes this is a phishing text, where the sender is trying to get information on your banking,” a CommBank statement read.

“Please forward this text to hoax@cba.com.au the Security team can take it from there.

“So long as you have not entered your information then your accounts will be safe.”

deceptive-site-ahead-warning-sign-image-www-scamsfakes-com

Protected computers will display this warning message when recipients of the CommBank scam text message try to follow the link provided in a text message.

Earlier, the bank issued another statement which revealed it was “aware of a number of hoax emails and SMSs currently in circulation”.

“Remember, we’ll never send you anything that asks you to provide your NetBank client number, password, NetCode SMS, credit card details or send you an unexpected attachment,” it read.

“Hoaxes are becoming more sophisticated and can look very convincing.

“Please be sure to share this with any friends or relatives so they stay safe online.”

The fake CommBank text comes after ANZ customers were being advised to take extra caution after the discovery of a very convincing scam.

The fake ANZ Bank email advised recipients that their ‘last payment was unsuccessful’ and prompts them to login, where cyber criminals can steal their credentials.

Cyber security company MailGuard believed the scam email from August had already been sent to a very large number of inboxes.

“The email, from a display name of ANZ internet Banking and sender email address of customer.data@anz.com, claims that ANZ have been unable to contact you, and asks customers to click to update their phone number,” MailGuard warned in a blog post.

“When recipients click through they arrive on a well-crafted ANZ internet Banking landing page where they are prompted to login, so doing handing over their Customer Registration Number (CRN) and Password.”

ANZ said customers should delete the email immediately and contact the helpdesk immediately if they have clicked on any links or downloaded any attachments, responded to the hoax email, SMS or phone call with your banking details or noticed any unusual payments.

to8t756

Henry Sapiecha

Phishing? How to protect yourself from scam emails and much more

Don’t click on that email! Find everything you need to know in this phishing guide including how to protect yourself from one of the most common forms of cyber attack.

phishing-hook-keyboard-image-www-scamsfakes-com

What is phishing?

Phishing is one of the easiest forms of cyber attack for a criminal to carry out, but one which can provide these crooks with everything they need to infiltrate every aspect of their targets’ personal and working lives.

Usually carried out over email – although the scam has now spread to social media, messaging services and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants. That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.

The aim and the precise mechanics of the scams vary: victims might be tricked into a clicking a link through to a fake webpage with the aim of persuading them user to enter personal information. Other campaigns involve tricking users into downloading and installing malware – for stealthy approach to theft – or inadvertently installing ransomware, providing the attacker with much more immediate profit.

More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years in cases where specific individuals are targeted for specific data which they would only ever hand over to people they trusted.

ooo

That data can be as simple as an email address and password, to financial data such as credit card details or online banking credentials or even personal data such as date of birth, address and a social security number.

In the hands of hackers, all of that can be used to carry out fraud, be it identity theft or using stolen data to buy things or even selling people’s private information on the dark web. In some cases, it’s done for blackmail or to embarrass the victim.

In other cases, phishing is one of the tools used for espionage or by state-backed hacking groups to spy on opponents and organisations of interest.

And anyone can be a victim, ranging from the Democratic National Committee, to critical infrastructure, to commercial businesses and even individuals

scam-signs-multiples-image-www-scamfakes-com

Whatever the ultimate goal of the attack, phishing revolves around scammers tricking users into giving up data or access to systems in the mistaken belief they are dealing with someone they know or trust.

How does a phishing attack work?

A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks.

The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.

Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.

Most people simply don’t have the time to carefully analyse every message which lands in their inbox – and it’s this which phishers look to exploit in a number of ways.

Scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a ‘winning voucher’.

In this example, in order to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.

A young woman is overjoyed by message on her tablet computer stating she has won a prize, not realizing it is a scam.

A young woman is overjoyed by message on her tablet computer stating she has won a prize, not realizing it is a scam.

Similar techniques are used in other scams in which attackers claim to be from banks looking to verify details, online shops attempting to verify non-existent purchases or sometimes — even more cheekily — attackers will claim to be from tech security companies and that they need access to information in order to keep their customers safe.

Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment which they claim contains information about a contract or deal.

In many cases the file will unleash malicious software onto the system – in many cases it will harvest personal data, but it in many cases it’s also used to deploy ransomware or rope systems into a botnet.

Attackers will often use high-profile events as a lure in order to reach their end goals. For example, a major campaign used the lure of the 2016 Olympic Games to help distribute malware in the run up to the event.

In many cases the malicious payload will be hidden inside a Microsoft Office document which requires the user to enable macros to run. The payload will trick the victim into enabling them by claiming that an update needs to be installed or permissions need to be given to allow the document to be viewed properly. But if users allows the payload to run they and their company are likely to be in big trouble.

Why is phishing called phishing?

The overall term for these scams — phishing — is a modified version of ‘fishing’ except in this instance the fisherman is the cyber attacker and they’re trying to catch you and reel you in with their sneaky email lure.

It’s also likely a reference to hacker history: some of the earliest hackers were known as ‘phreaks’ or ‘phreakers’ and it’s likely a reference back to that.

When did phishing begin?

The consensus is the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell which attempted to steal AOL user names and passwords.

These early attacks were successful because it was a new type of attack, something users hadn’t seen before. AOL provided warnings to users about the risks, but phishing remained successful and it’s still here over 20 years on. In many ways, it has remained very much the same for one simple reason – because it works.

How did phishing evolve?

While the fundamental concept of phishing hasn’t changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams as home internet use took off and a personal email address started to become more common.

Many early phishing scams came with tell-tale signs that they were not legitimate – including strange spelling, weird formatting, low-res images and messages which often didn’t make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats which meant that these attacks still found success – many of these are still effective.

Some phishing campaigns remain really, really obvious to spot – like the prince who wants to leave his fortune to you, his one long lost relative, but others have become to be so advanced that it’s virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues or even your boss.

What’s the cost of phishing attacks?

It’s hard to put a total cost on the fraud that flows from phishing scams, but earlier this year the FBI suggested that the impact of such scams could be costing US business somewhere around $5bn a year, with thousands of companies hit by scams every year.

One example of a high profile incident: in July 2017 MacEwan University in Edmonton, Alberta, Canada fell victim to a phishing attack.

“A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor,” the university said in a statement.

What types of phishing scams are there?

The ‘spray and pray’ is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the ‘URGENT message from your bank’ and ‘You’ve won the lottery’ messages which look to panic victims into making an error — or blind them with greed.

Schemes of this sort are so basic that there’s often not even a fake webpage involved – victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as blank message with a malicious attachment to download. This is the way Locky ransomware is spread and it’s one of the most effective forms of the file-encrypting malware around.

lockyemail.jpg

A simple Locky distribution phishing email – it looks basic, but if it didn’t work, attackers wouldn’t be using it.These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who’ll exploit the information in any way they can.

What is spear phishing?

Spear phishing is more advanced than a regular phishing message and aims at specific groups or even particular individuals. Instead of vague messages being sent, criminals design them to target anything from a specific organisation, to a department within that organisation or even an individual in order to ensure the greatest chance that the email is read and the scam is fallen for.

It’s these sorts of specially crafted messages which have often been the entry point for a number of high profile cyber attacks and hacking incidents.

At a consumer level, it can be designed to look like an update from your bank, it could say you’ve ordered something online, it could relate to any one of your online accounts. Hackers have even been known to seek out victims of data breaches and pose as security professionals warning victims of compromise – and that targets should ensure their account is still secure by entering their account details into this handy link.

While spear phishing does target consumers and individual internet users, it’s much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation.

lure-document-used-in-a-ransomware-attack-against-a-hospital-attackers-used-official-logos-and-names-to-make-the-email-and-the-attachment-look-legitimate-image-scamafakes-com

Lure document used in a ransomware attack against a hospital – attackers used official logos and names to make the email and the attachment look legitimate.
This particular type of phishing message can come in a number of forms including a false customer query, a false invoice from a contractor or partner company, a false request to look at a document from a colleague, or even in some cases, a message which looks as if it comes directly from the CEO or another executive.
Rather than being a random message, the idea is to make it look as if it has come from a trusted source, and coax the target into either installing malware or handing over confidential credentials or information. These scams take more effort but there’s a bigger potential payback for crooks too.What is CEO fraud?

CEO fraud is a very specific type of phishing campaign which usually targets staff in the financial or human resources department of a business.

The target receives an email from the attacker which is disguised to look as if it comes from the CEO of the company or some other high level executive and – sometimes after a period of small talk to build up trust – it requests and urgent transfer of money to a particular account.

ceo-fraud-trend-email-image-www-scamsfakes-com

CEO fraud sees attackers posing as executives and sending multiple messages back and forth with victims. Image: Trend Micro

Usually some sort of business reason is given such as the funds being required for a new contract or something similar. Of course, this message isn’t from the CEO at all and the account doesn’t belong to anyone within the company, but rather the attacker, who before the victim knows understands what is going on, has made off with a significant sum.

It’s thought that at least $5 billion has been lost as a result of this particular form of phishing scam and law enforcement has warned that it continues to rise.

Other types of phishing attacks

While email still remains a large focus of attackers carrying out phishing campaigns, the world is very different to how it was when phishing first started. No longer is email the only means of targeting a victim as the rise of mobile devices, social media and more have provided attackers with a wider variety of vectors to use for attacking victims.

Social media phishing

With billions of people around the world using social media services such as Facebook, LinkedIn and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.

Some attacks are simple and easy to spot: a Twitter bot might send you a private message containing a shortened URL which leads to something bad such as malware or maybe even a fake request for payment details.

But there are other attacks which play a longer game. A common tactic used by phishers is to pose as a person – often an attractive women – using photos ripped from the internet, be it stock imagery or someone’s public profile. Often these are just harvesting Facebook ‘friends’ for some future nefarious means and don’t actually interact with the target.

However, sometimes plain old catfishing comes into play, with the attacker establishing a dialogue with the (often male) target – all while posing as a fake persona.

mia-ash-facebook-scam-screen-pic-image-www-scamsfakes-com

The ‘Mia Ash’ social media phishing campaign saw attackers operate a fake social media presence as if the fake persona was real. Image: SecureWorks

After a certain amount of time – it could be hours, it could be months – the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their gains.

These campaigns can be completely random, but some are specifically targeted with hackers running an entire online persona of a fake person across multiple social media sites in order to look like an authentic, real living person.

One campaign of this nature targeted individuals in organisations in the financial, oil and technology sectors with advanced social engineering based around a single, prolific social media persona that was absolutely fake.

Those behind ‘Mia Ash’ are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.

SMS and mobile phishing

The rise of mobile messaging services – Facebook Messenger and WhatsApp in particular – has provided phishers with a new method of attack, with the fact that smartphones are now in the pocket of the victims making them almost immediately accessible.

Attackers don’t even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials – the internet connected nature of the modern way phone means text messages are also an effective attack vector.

A SMS phishing – or Smishing – attack works in much the same way as an email attack, presenting the victim with a fraudulent offer or fake warning as a malicious incentive to click through to a malicious URL.

whatsapp-phish-action-fraud-scam-www-scamsfakes-com

Text messages offer another attack vector to criminals. Image: Action Fraud

The nature of text messaging means the smishing message is short and designed to grab the attention of the victim, often with the aim of panicking them into clicking on the phishing URL within. A common attack by smishers is to pose as a bank and fraudulently warn that the victim’s account has been closed, had finances from it withdrawn or is otherwise compromised.

The truncated nature of the message often doesn’t provide the victim with enough information to realise the message is fraudulent, especially when text messages don’t contain tell-tale signs such as a sender address.

Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.

How to spot a phishing attack

The whole point of attackers carrying out phishing attacks is to use deception in order to trick victims into compromising themselves, be it by installing malware onto the network, handing over login credentials or parting with financial data.

While at its heart phishing remains one of the most basic forms of cyber attack, the simple fact of the matter is that it works – and it’s been working for over two decades.

While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users – and everyday there are people who are only accessing the internet for the first time.

Large swathes of internet users therefore won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it – why would they even suspect that the message in their inbox isn’t actually from the organisation or even friend it says it’s from?

But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns which can make it obvious to spot an attempted attack.

Signs of phishing: Poor spelling and grammar

Many of the less professional phishing operators still make basic errors in their messages – notably when it comes to spelling and grammar.

Official messages from any major organisation are unlikely to contain bad spelling or grammar, let alone repeated instances throughout the body – so poorly written messages should act as an immediate warning that the message might not be legitimate.

It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these service they still struggles to make messages sound natural.

Shortened or odd URLs in phishing emails

It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious of fake website designed for malicious purposes.

Many examples of phishing attacks will invite the victim to click through to an official-looking URL. However, if the user takes a second to examine the link more closely, they can hover the pointer over it and often find that while the text seems like the legitimate link, the actual web address is different.

In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won’t check the link at all and just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice.

"Minsk, Belarus - October 27, 2011: Official website Blizzard. Photo taken from the monitor."

“Minsk, Belarus – October 27, 2011: Official website Blizzard. Photo taken from the monitor.”

Attackers tried to take advantage of the Blizzard data breach by sending phishing emails claiming to be from Blizzard about account security

For example, a campaign once targeted online gamers after game developer Blizzard was hacked. Attackers spammed messages claiming that the victim had their World of Warcraft account compromised in the breach and asked them to click on a link and enter their details in order to secure it. The malicious link had only one minor difference to the real URL – the L in ‘World’ had been switched to a 1.

Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to that which you’d usually expect.

shady-hacker-on-keyboard image www.scamsfakes.com

A strange or mismatched sender address

You receive a message that looks to be from an official company account. The message warns you that there’s been some strange activity using your account and urges you to click the link provided to verify your login details and the actions which have taken place.

The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?

In many instances, the phisher can’t fake a real address and just hope that readers don’t check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.

Another trick is to make the sender address almost look exactly like the company – for example, one campaign claiming to be from ‘Microsoft’s Security Team’ urged customers to reply with personal details to ensure they weren’t hacked. However, there isn’t a division of Microsoft with that name – and it probably would it be based in Uzbekistan, where the email was sent from.

Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.

The message looks strange and too good to be true

Congratulations! You’ve just won the lottery/free airline tickets/a voucher to spend in our store – now just provide us with all of your personal information including your bank details to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.

In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment – never clicking on mysterious, unsolicited attachment is a very good tactic when it comes to not falling victim.

Even if the message is more fleshed out and looks as if it came from someone within your organisation, if you think the message might not be legitimate, contact someone else in the company – over the phone or in person rather than over email if necessary – to ensure that they really did send it.

How to protect against phishing attacks

Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.

Exercises such as enabling staff to make errors – and crucially learn from them – in a protected sandbox environment or carrying out authorised penetration testing against employees can both be used to help alert users to potential threats and how to spot them.

At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren’t designed to be malicious – they’re designed to help users perform repetitive tasks with keyboard shortcuts.

documents-dropped-by-phishing-attacks-often-ask-the-victim-to-enable-macros-so-as-to-enable-the-malicious-payload-to-work-image-www-scamsfakes-com

Documents dropped by phishing attacks often ask the victim to enable Macros so as to enable the malicious payload to work. Image: Digital Guardian

However, the same processes can be exploited by attackers in order to help them execute malicious code and drop malware payloads.

Most newer versions of Office automatically disable macros, but it’s worth checking to ensure that this is the case for all the computers on your network – it can act as a major barrier to phishing emails attempting to deliver a malicious payload.

The future of phishing

It might have been around for almost twenty years, but phishing remains a threat for two reasons – it’s simple to carry out – even by one-person operations – and it works, because there’s still plenty of people on the internet who aren’t aware of the threats they face. And even the most sophisticated users can be caught out from time to time.

For seasoned security personnel or technologically savvy people, it might seem strange that there are people out there who can easily fall for a ‘You’ve won the lottery’ or ‘We’re your bank, please enter your details here’.

But there are billions of people in the world who don’t regularly use the internet or are just unaware that the internet is something which criminals might use to target them. Unfortunately, criminals are there looking to scam and deceive people and it’s easiest to do it to people who are naive or overly trusting. And the low cost of phishing campaigns and the extremely low chances of scammers getting caught means it remains a very attractive option for fraudsters.

Because of this, phishing will continue as cyber criminals look to profit from stealing data and dropping malware in the laziest way possible. But it can be stopped and by knowing what to look for and by employing training when necessary, you can try to ensure that your organisation doesn’t become a victim.

READ MORE ON CYBER CRIME

home-finance-generic-banners-1

Henry Sapiecha

Phishing scam targets National Australia Bank customers with fake website

Phishing scam targets NAB customers with fake website

NAB online banking customers are the latest target of an email scam that tells victims their account has been disabled before prompting them to enter their password into a fake website.

The email sent to NAB customers tells recipients their bank account has been disabled and prompts them to click a link to reactivate their account.

the-nab-scam-email-sent-by-scammers-image-www-scamsfakes-com

The email sent by scammers. Photo: Mailguard

The link takes the recipient to a very realistic, but fake, copy of NAB’s banking website, which is designed to harvest the victim’s account ID and password.

NAB said late on Thursday night that the fake website had been removed.

a-screen-shot-of-the-fake-website-through-which-scammers-try-to-obtain-online-banking-details-image-www-scamsfakes-com

A screen shot of the fake website through which scammers try to obtain online banking details. Photo: Mailguard

A NAB spokeswoman said the bank had issued a take-down notice to have the fake website removed after it became aware of the scam.

“We remind customers, NAB will never ask you to confirm, update or disclose personal or banking information via email or text,” she said.

The email comes with the subject line ‘Notification’ and is sent from discharge.authority@nab.com.au.

MailGuard CEO, Craig McDonald, said the company had blocked the distribution of thousands of copies of the email on Thursday afternoon.

“A phishing scam is a fraudulent attempt to steal your information or identity for financial gain. In this case, the perpetrators want victim’s banking details,” he said.

“Creating a fake website allows them to collect peoples’ account number and passwords without arousing suspicion.

“That valuable information is collected and used to make future unauthorised transactions.”

Many NAB customers have taken to Twitter this week to ask the bank whether the email was a scam.

NAB has listed the scam on its website, and advised customers to forward the email to spoof@nab.com.au and then delete it.

Victims are urged to contact their local NAB branch, or call 13 22 65 immediately.

xhx

Henry Sapiecha

Losses from reported Australian hacking victims quadrupled in 2016: ACCC

skull-crossbones-numbers-red-image-www-scamsfakes-com

The Australian Competition and Consumer Commission (ACCC) has reported a four-fold increase in hacking scams, with AU$2.9 million lost to such activity in 2016, up from AU$700,000 in 2015.

According to Targeting scams: Report of the ACCC on scams activity 2016, businesses bore the brunt of these scams, with over half — AU$1.7 million — being attributed to businesses.

“While the digital economy presents many opportunities and efficiencies for businesses, it also presents significant risks,” ACCC deputy chair Delia Rickard says in the report’s foreword.

“Scams targeting businesses are becoming increasingly sophisticated using modern technology to make fake emails, invoices and websites appear legitimate to even the astute business person.”

While the digital age is hitting businesses in Australia, the report [PDF] highlights that consumers are also being affected by scammers, with digitisation providing the opportunity for scammers to try new tricks.

Online scams — those executed via the internet, email, social networks, and mobile apps — outnumbered phone-based scams in 2016, with an increase of 130 percent over 2015.

Elsewhere in the report, losses to online scams accounted for 58 percent — AU$48.4 million — of total losses, while social media was a particularly busy platform used by scammers to lure victims, netting losses of AU$9.5 million in 2016 compared with AU$3.8 million in 2015.

Of the social media scams, the most prevalent were related to online dating and sextortion, a form of blackmail in which compromising images of the victim are used to extort money.

Protect your small business from invoice email scams

fake-agl-invoice-containing-a-link-to-a-virus-image-www-scamsfakes-com

16 August 2016

Scam watchers ask that businesses be beware of an invoice email scam seeking payment re-direction.

The scam involves scammers pretending to be legitimate suppliers advising changes to payment arrangements. It may not be detected until the business is alerted by complaints from suppliers that payments were not received.

How these scams work

  • Scammers hack into vendor and/or supplier email accounts and obtain information such as customer lists, bank details and previous invoices.
  • Your business receives an email, supposedly from a vendor, requesting a wire transfer to a new or different bank account.
  • The scammers either disguise their email address or create a new address that looks nearly identical. The emails may be spoofed by adding, removing, or subtly changing characters in the email address which makes it difficult to identify the scammer’s email from a legitimate address.
  • The email may look to be from a genuine supplier and often copy a business’s logo and message format. It may also contain links to websites that are convincing fakes of the real company’s homepage or links to the real homepage itself.
  • The scam email requests a change to usual billing arrangements and asks you to transfer money to a different account, usually by wire transfer.
  • The scam may not be detected until the business is alerted by complaints from legitimate suppliers that they have not received payment.

Protect yourself

  • Make yours a ‘fraud-free’ business – effective management procedures can go a long way towards preventing scams. Have a clearly defined process for verifying and paying accounts and invoices.
  • Consider a multi-person approval process for transactions over a certain dollar threshold.
  • Ensure your staff are aware of this scam and understand how it works so they can identify it, avoid it and report it.
  • Double check email addresses – scammers can create a new account which is very close to the real one; if you look closely you can usually spot the fake.
  • Don’t seek verification via email – you may be simply responding to the scammer’s email or scammers may have the capacity to intercept the email.
  • If you think a request is suspicious, telephone the business to seek verification of the email’s authenticity.
  • Don’t call any telephone number listed in the email; instead, use contact details that you already have on file for the business, or that you have sourced independently – for example, from a telephone directory.
  • Don’t pay, give out or clarify any information about your business until you have looked into the matter further.
  • Check your IT systems for viruses or malware – always keep your computer security up-to-date with anti-virus and anti-spyware software and a good firewall.

iyunil

Henry Sapiecha

Telstra clients scammed with fake refund email

shady-hacker-on-keyboard image www.scamsfakes.com

More than just chasing your credit card details, scammers are looking to steal the identity of Telstra customers.

Saying to you that you’ve paid your bill twice, scammers are tricking Telstra customers into handing over their credit card details.

These days most of us are savvy enough not to fall for promises that look too good to be true, whether it’s a win in the British Lottery or an inheritance from a long-lost uncle in deepest, darkest Peru.

Scammers have moved with the times and their new promises are a lot more boring and realistic, such as a small tax refund, unexpected parcel delivery or billing error in your favour

fake letter emailed toTelstra customers image www.scamsfakes.com

A copy of the fake letter emailed toTelstra customers. Photo: MailGuard

The latest wave of convincing-looking scam emails, identified by MailGuard, claim you’ve somehow paid your Telstra bill twice so you’re entitled to a refund. Rather than take a shotgun approach the scammers have only sent it to Telstra customers – more than 20,000 of them – who probably won’t find it too hard to believe that the telco has managed to stuff up their bill.

This isn’t a cryptolocker attack like many fake emails that have probably arrived in your inbox lately – there isn’t an infected malware attachment or dodgy link designed to encrypt all your documents and demand a ransom. Instead the official-looking letter, supposedly signed by Telstra executive Gerd Schenkel, points you to Telstra’s My Account online portal where you can log into your Telstra account and claim your refund.

Of course the link doesn’t send you to Telstra’s real My Account page, just a very convincing-looking forgery as part of a “phishing” attack hoping to trick you into handing over sensitive information. Along with your Telstra login and password you’re asked to provide all your credit card and billing address details along with your date of birth.

Not only can scammers use these details to go on a shopping spree with your credit card, it’s also enough information for them to pretend to be you and start racking up other debts in your name.

The best defence against these attacks is a healthy sense of paranoia. Often they’ll be riddled with grammatical errors, come from a suspicious-looking email address or rely on a suspicious-looking website name. This latest Telstra attack does look very convincing, but if nothing else the fact that it asks for so much information should ring alarm bells.

Always assume that any unexpected email you received from a service provider is a fake. Never open attachments, click on links in the email or trust the supplied phone number. If in doubt, contact the provider directly to clarify.

If you’ve been caught by this scam the best thing to do is notify Telstra, change your My Account password and notify your bank so it can cancel your credit card.

Have you been caught out by these kinds of scams? How do you spot the fakes?

Tell us your story HERE

SDR

www.intelagencies.com

Henry Sapiecha