Phishing Email Alerts for April Fool’s Day 2022
Catch of the Day: Wells Fargo Smish
Chef’s Special: Current Events Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to email@example.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
Malicious email and phishing scams are usually topical and follow a pattern of current events. They are usually crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origination of the term “phishing.”
Included topics: IRS-themed tax scams, W-8 form submission via fax , Ukrainian war scams, and Bitcoin scams. More…
Wells Fargo Smishing Exploit
I’ve seen a variation of this attack in a traditional phishing email. This one arrived via the SMS text messaging app on my phone.
You have to be careful reading this link because it looks plausibly like a Bitly style short link. The actual domain is ndb-3.com, and online-bank and wellsf are subdomains. If I own a domain I can create as many subdomains as I need. But check out how realistic this looks in a couple of slides.
Here’s another hallmark of current phishing campaigns – the CAPTCHA panel. This of course lends a bit of realistic stagecraft to this exploit. I had to find all the motorcycles.
The CAPTCHA sends us to a very realistic Wells Fargo branded landing page. Just enter your user name and password and your credentials are sent to the attackers
But wait – there’s more. Now to collect some choice personal information
Ans why would wells Fargo need the password to my email account? With this information the attacker can engage in impersonation attacks against people on your contact list using your legitimate but compromised email account.
The next screen is as far as I could go, because it required the use of a real credit card number. I tried using variations and made-up CC numbers, but they are actually using credit card verification logic in their exploit code.
My assumption at this point is that the attackers would finally forward you to the legitimate Wells Fargo home page, just as they did in the Wells Fargo example I’ve show before in this blog. This allows them to cover their tracks and extend the life of the exploit.
Spearphishing crafted with industry-specific terms derived from intelligence gathering techniques to trick a recipient into opening a file is especially difficult to identify. This is especially true when an adversary has knowledge of how a business works and the processes that underpin it. Using this knowledge, a lure can be crafted that takes advantage of these day-to-day processes – for example, settling the cost of a fuel transaction.
FortiGuard Labs recently encountered such a scenario, where a fuel company in Kyiv, Ukraine received a spearphishing e-mail that contained an attached invoice—seemingly from another fuel provider—that was spoofed. The attachment is a zip file that contains the IcedID Trojan. More…
Morphisec Labs has detected a new wave of Remcos trojan infection. The theme of the phishing emails is again financial, this time as payment remittances sent from financial institutions. The attacker lures a user to open a malicious Excel file that contains “confidential information” which starts the infection chain.
Morphisec’s analysis has identified several services used for these phishing campaigns. They include Wells Fargo (see above example), FIS Global, and ACH Payment notifications. More…