Phishing Email Alerts
Catch of the Day: TikTok Phish
Chef’s Special: Iranian Smishing Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to firstname.lastname@example.org.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
Phishing emails are targeting large TikTok accounts with phony copyright warnings or offers for account verification, according to researchers at Abnormal Security.
“An email campaign sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses appeared to target large-volume TikTok accounts of all kinds and across disparate locales,” the researchers write.
“Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types….From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide.
Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”
The researchers add that the attackers set a time constraint to ensure that the victim acts quickly, then send a link to trick the user into entering their credentials.
“This campaign indicates that attackers have linked TikTok with the social media giants, including Facebook and Twitter, in the impersonation game,” the researchers write. “In the original phishing email, designed to appear like a copyright violation notice from TikTok, the victim was instructed to respond to the message, lest their account be deleted in 48 hours.”
Abnormal notes that hackers sometimes demand a ransom to return the account to its owner. “While we were unable to identify the end goal of the campaign, past targeting of social media accounts on other platforms offers several options,” the researchers write.
“Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee. An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram.
Sadly, victim accounts in this scenario often end up deleted, especially for those on TikTok.” New-school security awareness training can enable your employees to recognize social engineering tactics so they can avoid falling for these attacks.
Abnormal Security has the story:
Generally, I am to not interested in exploits happening in other parts of the globe, but this one bears watching, because the target audience can always be changed, and this exploit or something similar could have here in the United States. I recommend this article as a must read. You can check out the entire story here.
For a more technical readout including IOCs and TTPs, check out the AlienVault threat intelligence feed here.
Short version follows:
In the last few months, multiple Iranian media and social networks have published warnings about ongoing SMS phishing campaigns impersonating Iranian government services. The story is as old as time: victims click on a malicious link, enter their credit card details, and in a matter of hours their money is gone. What is noteworthy about these campaigns is the sheer scale of the attack. An unprecedented number of victims have shared similar stories in the comment sections of news outlets and social networks about how their bank accounts were emptied.
As opposed to previously spotted attacks such as the Flubot Trojan that steals sensitive data from devices by injecting code and displaying overlay screens, the malicious applications presented in this research rely on social engineering to lure victims into handing over their credit cards details. The modus operandi is always the same. The victims receive a legitimate-looking SMS with a link to a phishing page that is impersonating government services, and lures them to download a malicious Android application and then pay a small fee for the service. The malicious application not only collects the victim’s credit card numbers, but also gains access to their 2FA authentication SMS, and turn the victim’s device into a bot capable of spreading similar phishing SMS to other potential victims. The technical evidence and the public reports show tens of thousands of victims were affected, and billions of Iranian Rials stolen, with sums reaching up to $1000-2000 per victim.