The global pandemic, which has infected approximately 3.76 million people around the world, has had adverse effects on the global economy as well. And to add to these woes, businesses are being targeted by cyber criminals, at an unprecedented scale. These include malware and ransomware attacks, online scams, and phishing campaigns. Since people across the world are working and communicating via emails, SMS, videoconferencing, etc., there has been a dramatic increase in phishing emails and smishing messages.
Most businesses use SMS and email to authenticate transactions, send payment reminders, and apprise their customers on promotions and offers. And this has been quite essential for them, during the lockdown period. Unsurprisingly, more and more crooks are taking advantage of this.
A recent smishing threat that targets HSBC customers as well as non-customers, sends SMSs warning them of an account activity that has been logged. The SMS also instructs customers to click on the link attached to the message, if the activity looks suspicious.
Even though the average customer would know the domain name of their bank, this link (legitimate-site.malicious.com) could easily pass for a genuine website, fooling several users. This type of scam is known as subdomain phishing, wherein the scammer uses a legitimate subdomain along with a malicious domain name, as in legitimate-site.malicious.com. In this case, security.hsbcuk is the legitimate subdomain and confirmsecurekey.com is the suspicious domain name.
When you look up the domain name, security(.)hsbcuk(.)confirmsecurekey(.)com, on VirusTotal it points to other phishing URLs that are associated with this domain. They appear to be targeting Nationwide and HSBC customers, in particular. The URLs that are connected to the domain are:
https://request-for-new-payee(.)com/
https://security.hsbcuk.secure-key-alerts(.)com/
https://nationwide.uk.request-for-new-payee(.)com/
http://security.hsbcuk.confirm-securekey(.)com/
http://security.hsbcuk.secure-key-alerts(.)com/
http://nationwide.uk.request-for-new-payee(.)com/
http://security.hsbcuk.securekey-activity(.)com/
http://request-for-new-payee(.)com/
http://security.hsbcuk.securekey-alerts(.)com/
These phishing URLs remind us of how easy it is to obtain SSL certificates (https extension). With a much more convincing domain name and an SSL certificate, even the average user can fall prey to such attacks.
This Apple suspicious activity alert email seems to have cropped up in December 2019, and appears to be the handiwork of a crafty scammer. Similar to the smishing attack on HSBC, this phishing email warns the customer of a suspicious account activity. However, it directs the user to open the attached PDF document for additional information.
The most deceptive part of this phishing email is the hyperlink in the message (support.apple.com) that is in fact a shortened URL. And Apple customers may have been receiving emails from this sender since December 2019. Looking up this URL on VirusTotal leads to 33 other phishing URLs that may be connected to this phishing campaign.
When it comes to luring customers of financial institutions or otherwise, scammers tend to resort to standard phishing practices. Therefore, we ask users to be wary of the emails and SMSs they receive in the name of their banks. Scammers usually induce customers by: