All Threat Intelligence posts

Phishing campaigns use “account activity alerts” to trick HSBC and Apple customers

May 8, 2020
4
min read

The global pandemic, which has infected approximately 3.76 million people around the world, has had adverse effects on the global economy as well. And to add to these woes, businesses are being targeted by cyber criminals, at an unprecedented scale. These include malware and ransomware attacks, online scams, and phishing campaigns. Since people across the world are working and communicating via emails, SMS, videoconferencing, etc., there has been a dramatic increase in phishing emails and smishing messages.

Most businesses use SMS and email to authenticate transactions, send payment reminders, and apprise their customers on promotions and offers. And this has been quite essential for them, during the lockdown period. Unsurprisingly, more and more crooks are taking advantage of this. 

 

Smishing trap masquerades as HSBC “account activity alert”

A recent smishing threat that targets HSBC customers as well as non-customers, sends SMSs warning them of an account activity that has been logged. The SMS also instructs customers to click on the link attached to the message, if the activity looks suspicious. 

Smishing HSBCEven though the average customer would know the domain name of their bank, this link (legitimate-site.malicious.com) could easily pass for a genuine website, fooling several users. This type of scam is known as subdomain phishing, wherein the scammer uses a legitimate subdomain along with a malicious domain name, as in legitimate-site.malicious.com. In this case, security.hsbcuk is the legitimate subdomain and confirmsecurekey.com is the suspicious domain name.

When you look up the domain name, security(.)hsbcuk(.)confirmsecurekey(.)com, on VirusTotal it points to other phishing URLs that are associated with this domain. They appear to be targeting Nationwide and HSBC customers, in particular. The URLs that are connected to the domain are:

https://request-for-new-payee(.)com/

https://security.hsbcuk.secure-key-alerts(.)com/

https://nationwide.uk.request-for-new-payee(.)com/

http://security.hsbcuk.confirm-securekey(.)com/

http://security.hsbcuk.secure-key-alerts(.)com/

http://nationwide.uk.request-for-new-payee(.)com/

http://security.hsbcuk.securekey-activity(.)com/

http://request-for-new-payee(.)com/

http://security.hsbcuk.securekey-alerts(.)com/

These phishing URLs remind us of how easy it is to obtain SSL certificates (https extension). With a much more convincing domain name and an SSL certificate, even the average user can fall prey to such attacks.

 

Phishing bait has been posing as Apple “sign-in notification” since Dec’2019

This Apple suspicious activity alert email seems to have cropped up in December 2019, and appears to be the handiwork of a crafty scammer. Similar to the smishing attack on HSBC, this phishing email warns the customer of a suspicious account activity. However, it directs the user to open the attached PDF document for additional information. 

Apple phishing

The most deceptive part of this phishing email is the hyperlink in the message (support.apple.com) that is in fact a shortened URL. And Apple customers may have been receiving emails from this sender since December 2019. Looking up this URL on VirusTotal leads to 33 other phishing URLs that may be connected to this phishing campaign.

 

Typical phishing tactics

When it comes to luring customers of financial institutions or otherwise, scammers tend to resort to standard phishing practices. Therefore, we ask users to be wary of the emails and SMSs they receive in the name of their banks. Scammers usually induce customers by:

  • Creating an urgency, such as a suspicious account activity that requires customer’s immediate attention or confirmation of account usage.
  • Requesting confidential or security information such as your online banking account number, passwords, PINs, or other such information.
  • Instructing customers to respond/ reply, fill a form/ document attached, click on links appended to the message, to verify your account or to move your money to another account in fear of malicious activities. 
  • Impersonating bank email addresses and website URLs to convince customers of its legitimacy. 
  • Fake lottery scams

How to prevent phishing, smishing attacks?

  • Do not open suspicious links or attachments.
  • Be wary of all emails and SMSs sent to you even from your bank or any other institution.
  • Hover over the links or email addresses you may find suspicious, to find its actual destination.
  • Do not share personal information, which includes credentials, account numbers, customer ID, PINs, card details, with anyone.
Tags:
No items found.