Phishing Scams

ASSA ALLIANCE / PHISHING

What is Phishing?  Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing  or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. 

Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.

ASSA ALLIANCE / PHISHING

PHISHING

Spear Phishing 

Phishing attempts directed at specific individuals or companies have been termed spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.

Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked to Hillary Clinton's 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented the accounts-google.com domain to threaten targeted users.

Clone Phishing

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. Typically this requires either the sender or recipient to have been previously hacked for the malicious third party to obtain the legitimate email.

Link Manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the tags) suggest a reliable destination, when the link actually goes to the phishers' site. Many desktop email clients and web browsers will show a link's target URL in the status bar while hovering the mouse over it. This behavior, however, may in some circumstances be overridden by the phisher. Equivalent mobile apps generally do not have this preview feature. 

Internationalized domain names (IDN) can be exploited via IDN spoofing or homograph attacks, to create web addresses visually identical to a legitimate site, that lead instead to malicious version. Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain. Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website, or, to host the phish site without SSL at all.


Website Forgery

Some phishing scams use JavaScript commands in order to alter the address bar of the website they lead to. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL. 

An attacker can also potentially use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Such a flaw was used in 2006 against PayPal.

To avoid anti-phishing techniques that scan websites for phishing-related text, phishers sometimes use Flash-based websites (a technique known as phlashing). These look much like the real website, but hide the text in a multimedia object.



Whaling

The term whaling refers to spear phishing attacks directed specifically at senior executives and other high-profile targets. In these cases, the content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.

Filter Evasion

Phishers have sometimes used images instead of text to make it harder for anti-phishing filters to detect the text commonly used in phishing emails. In response, more sophisticated anti-phishing filters are able to recover hidden text in images using OCR (optical character recognition).

Covert Redirect

Covert redirect is a subtle method to perform phishing attacks that makes links appear legitimate, but actually redirect a victim to an attacker's website. The flaw is usually masqueraded under a log-in popup based on an affected site's domain. It can affect OAuth 2.0 and OpenID based on well-known exploit parameters as well. This often makes use of open redirect and XSS vulnerabilities in the third-party application websites. Users may also be redirected to phishing websites covertly through malicious browser extensions.

Normal phishing attempts can be easy to spot because the malicious page's URL will usually be different from the real site link. For covert redirect, an attacker could use a real website instead by corrupting the site with a malicious login popup dialogue box. This makes covert redirect different from others. 

For example, suppose a victim clicks a malicious phishing link beginning with Facebook. A popup window from Facebook will ask whether the victim would like to authorize the app. If the victim chooses to authorize the app, a "token" will be sent to the attacker and the victim's personal sensitive information could be exposed. This information may include the email address, birth date, contacts, and work history. In case the "token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, online presence, and friends list. Worse still, the attacker may possibly control and operate the user’s account. Even if the victim does not choose to authorize the app, he or she will still get redirected to a website controlled by the attacker. This could potentially further compromise the victim. 

Social Engineering 

Users can be encouraged to click on various kinds of unexpected content for a variety of technical and social reasons. For example, a malicious attachment might masquerade as a benign linked Google doc.

Alternatively users might be outraged by a fake news story, click a link and become infected.

Voice Phishing 

Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
 
Other Techniques

Another attack used successfully is to forward the client to a bank's legitimate website, then to place a popup window requesting credentials on top of the page in a way that makes many users think the bank is requesting this sensitive information.

Tabnabbing takes advantage of tabbed browsing, with multiple open tabs. This method silently redirects the user to the affected site. This technique operates in reverse to most phishing techniques in that it does not directly take the user to the fraudulent site, but instead loads the fake page in one of the browser's open tabs.

Total number of unique phishing reports (campaigns) received, according to APWG

Year Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Total
2005 12,845 13,468 12,883 14,411 14,987 15,050 14,135 13,776 13,562 15,820 16,882 15,244 173,063
2006 17,877 17,163 18,480 17,490 20,109 28,571 23,670 26,150 22,136 26,877 25,816 23,787 268,126
2007 29,930 23,610 24,853 23,656 23,415 28,888 23,917 25,624 38,514 31,650 28,074 25,683 327,814
2008 29,284 30,716 25,630 24,924 23,762 28,151 24,007 33,928 33,261 34,758 24,357 23,187 335,965
2009 34,588 31,298 30,125 35,287 37,165 35,918 34,683 40,621 40,066 33,254 30,490 28,897 412,392
2010 29,499 26,909 30,577 24,664 26,781 33,617 26,353 25,273 22,188 23,619 23,017 21,020 313,517
2011 23,535 25,018 26,402 20,908 22,195 22,273 24,129 23,327 18,388 19,606 25,685 32,979 284,445
2012 25,444 30,237 29,762 25,850 33,464 24,811 30,955 21,751 21,684 23,365 24,563 28,195 320,081
2013 28,850 25,385 19,892 20,086 18,297 38,100 61,453 61,792 56,767 55,241 53,047 52,489 491,399
2014 53,984 56,883 60,925 57,733 60,809 53,259 55,282 54,390 53,661 68,270 66,217 62,765 704,178
2015 49,608 55,795 115,808 142,099 149,616 125,757 142,155 146,439 106,421 194,499 105,233 80,548 1,413,978
2016 99,384 229,315 229,265 121,028 96,490 98,006 93,160 66,166 69,925 51,153 64,324 95,555 1,313,771
2017 96,148 100,932 121,860 87,453 93,285 92,657 99,024 99,172 98,012 61,322 86,547 85,744 1,122,156
2018 89,250 89,010 84,444 91,054 82,547 90,882 93,078 89,323 88,156 87,619 64,905 87,386 1,040,654
Morrisons Scam

ASSA ALLIANCE / SCAMS

Facebook/Morrisons Scam

If you see this ad posted on facebook, DO NOT click the links or enter any information on the page it goes to. The domain it goes to is nothing to do with Morrisons and is a scam to get your personal details. You have been warned!!

Tesco Scam

ASSA ALLIANCE / SCAMS

Facebook/Tesco Scam

If you see this ad posted on facebook, DO NOT click the links or enter any information on the page it goes to. The domain it goes to is nothing to do with Tesco and is a scam to get your personal details. You have been warned!!

ASSA ALLIANCE / PHISHING

Westpac - Phishing Email Scam 1

The claim link in this email does NOT go to westpac.com.au/redeem It goes to:
https://dypatilskills.com/test where they will try to get your login details to your bank account. Not an issue for people that do not have a Westpac account, but if you do delete the email at once and do not click any links.

The domain is owned by :

Registrant:
Organization: NagpurVentures
Mailing Address: Maharashtra, India

We have emailed GoDaddy are are currently awaiting a reply.

Westpac
Westpac

ASSA ALLIANCE / PHISHING

Westpac - Phishing Email Scam 2

This is a classic attempt to get your bank log in details. The Verify Now button does NOT go to Westpac but goes to https://nagpuraviation.com/test.

The domain is owned by :

Registrant:
Organization: NagpurVentures
Mailing Address: Maharashtra, India

And is registered by:
GoDaddy.com, LLC
IANA ID: 146
Abuse Contact Email: abuse@godaddy.com
Abuse Contact Phone: tel:480-624-2505

We have emailed GoDaddy are are currently awaiting a reply.

© Copyright 2019-2020 ASSA - All Rights Reserved
Some information about Scamming/Phishing gleaned from Wikipedia