Victims fooled by legitimate signup forms in phishing scam

News by Rene Millman

Cyber-criminals are using official newsletter signup forms to disguise phishing attacks, according security researchers.

In a blog post by Dr. Web, researchers said that criminals had used the newsletter subscription forms to spread links to a phishing website. The emails appear to be trustworthy both to the receiver and spam-filters, increasing the number of potential victims, researchers said.

Researchers had noted that several Russian users received phishing emails from well-known international companies such as Audi, Austrian Airlines and S-Bahn Berlin.

"Those emails were sent from official company addresses and didn’t raise any suspicions. The header and the email itself are written in English or German; but the letter begins with words in Russian saying, ‘money for you’," researchers said.

"At the beginning of the email, a link leads users to the hacked page of a dating website. Then due to malicious code embedded into the website’s stub page users are redirected through several other websites to a phishing one," said the researchers.

When they arrive on the phishing webpage, victims see that they have won a chance to participate in the international promo called "The lucky e-mail". If victims agree to participate, they must complete a survey to receive the prize money ranging from €10 to €3,000. Hackers have also added fake comments from people who allegedly received the prize, including comments from people not satisfied with the size of the reward.

Once the survey is completed, the phishing page asks winners to pay a commission to exchange euros for roubles.

"To pay the commission, victims are redirected to a fake payment page where they are supposed to enter their credit card information. Once complete, victims are asked to provide the verification code sent by SMS. When all the steps are completed, the victim’s bank account is debited, and their credit card data is left to the hackers. Additionally, no funds are credited to the victim’s bank account," said researchers.

Researchers at Dr. Web said that what was interesting about the scam was that criminals used official email newsletter signup forms on company websites.

"Special symbols are allowed in the forms, so it’s possible to send malicious links via official company newsletters. To do this, hackers fill in the "Name" field with words like "Money for you" and the "Last name" with a link to the phishing website. As a result, victims receive an email from the official company address, asking them to confirm the subscription," said researchers.

Sam Cook, privacy advocate at Comparitech, told SC Media UK that at present, there’s no effective method users can employ to stop these emails from bypassing email spam filter.

"Although spam filters do check the email content for suspicious words, phrases, and links, one of the primary triggers is the email address itself. If the email address is coming from a whitelisted site or appears fully legitimate, it’s unlikely to be stopped by a spam filter even with a suspicious link in the content of the email," he said.

Corin Imai, senior security advisor at DomainTools, told SC Media UK that email authentication protocols can help organisations prevent their brand being exploited for criminal activity, "but in the case of a successful spoofing of a newsletter or even confirmation email – which a recent Comparitech study found to be one the latest devices of cyber-criminals – informing customers of the existing threat should be the first step to limit the damage."

Jake Moore, cyber security specialist at ESET advises: "Not everyone has the time or the know-how to look for tell-tale signs within a malicious link but it can be mitigated by following one rule – don’t go entering information from emails sent to you even if they look genuine. The timing is usually the best giveaway as even if the email looks worthy of someone you are connected with, it may not be timed well. With that said, I still withhold giving away any personal information where possible – especially if a link were to say I’ve won a prize. Businesses should of course be making use of multi factor authentication for any newsletters and make their users aware of tactics used by hackers."

Dr Darren Williams, CEO and founder, BlackFog adds: "Organisations need to realise that almost every – seemingly innocent – application or link their employees visit is collecting some form of data about their usage and identity. By collecting this unauthorised data, hackers can profile individuals with the intent of stealing confidential company information from their devices.  While every attack is different, BlackFog’s internal data shows that about 25 percent of all data flowing from an enterprise’s device is exfiltrated to China and Russia on a daily basis.

"Businesses need to ensure that confidential data never leaves the device in the first place by blocking the exfiltration of data. It’s clear that cyber-threats will continue to increase and infiltrate our devices via various vectors so businesses and consumers must ensure the data can’t get out and into the wrong hands."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop