A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.
Uncovered by researchers at cybersecurity company Cofense, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.
The security company said the spoof mail had been send to “a few executives, including one at a leading financial firm”.
The messages come with the vague subject ‘View Bill – Error – Message’ and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.
Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there’s also some elements of the phishing email which should act as warnings that all is not right.
While the ‘from’ display does include EE, the email address is not related to the company and domain the message has actually been sent from is registered in the Netherlands.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
The malicious URL the email asks victims to click is also long and very strange, featuring ‘fly-guyz’, which should indicate that something is wrong.
However, if the victim doesn’t notice any of this and clicks the link they’re taken to a spoofed login page which looks very similar to the real thing – complete with a trusted HTTPS protocol and SSL certificate for the domain. However, the web address is all wrong.
First, the user is asked to enter their email address and password to ‘login’ to the spoofed website, providing cyber criminals with login credentials they could exploit for additional fraud. After entering these details, the victim is taken to another page, which this time asks them for all their bank details, including the full name, card number, the expiry data, the CVV number, their date of birth and the sort code – it’s everything a criminal needs.
After entering their details on this page, the user redirected to the real operator’s – an effort by the attackers to avoid suspicion by the victim.
The security company said the phishing page is still active, indicating that attempts at attacks are likely to be ongoing.
Unfortunately, spoofed domains aren’t new but remain a successful means of attack, so users should be wary of any unexpected emails which claim to be from companies and demand immediate attention – especially if that call to action involves clicking a link or downloading an unexplained attachment.
If people really aren’t sure what to do, they should try to call the company the email claims to be from in order to determine if it’s authentic or not.
READ MORE ON CYBERSECURITY