Overview of selected scams - NOVEMBER 2023

 

We present the report on identified threats and the methods of operation by criminals for the month of October 2023. This document highlights selected risks to customers of Polish banks. We encourage you to review the material.

The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", fake ads, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.

False investment schemess

In November 2023, the scam known as "investment fraud" was still active. This fraud scheme involves cybercriminals impersonating well-known individuals or institutions, with the aim of persuading potential victims to invest funds in exchange for a high rate of return.

Increasingly, criminals in fake offers are utilizing a theme related to artificial intelligence. This is due to the topic's popularity in the public domain. Additionally, criminals are increasingly using deepfake technology to create their materials. They want to increase the effectiveness of manipulation. By using this technology, attackers use the images of well-known people, generating video recordings on which content encouraging false investments is presented.

False offers (both in the form of video recordings and static advertisements) are distributed through:

 

  • advertisements on the Facebook platform,
  • advertisements in the Google search engine,
  • advertisements in the MSN search engine,
  • advertisements on the Twitter social networking service.

After clicking on a link, the victim lands on a page where registration is required. The data obtained by cybercriminals in this way enables them to contact a potential, already manipulated person, and in the next step to steal their funds. Often, in similar cases, the criminals encouraged the installation of remote management software. And when the victim of this crime wants to withdraw the earned financial resources (often realizing that they may have been deceived), they receive information about the need to "check the bank account through the AML system". For this purpose, cybercriminals send a link to a phishing site, where authentication data for electronic banking are extorted. In this way, cybercriminals first persuade the victim to transfer high amounts, and then gain access to electronic banking. Recently, scammers have expanded their fraud variant. In published fake advertisements, they offered alleged help in recovering funds to people who had already fallen victim to investment fraud earlier. All this in order to play a psychological game and persuade them to hand over further savings.

 

Examples of false advertisements and phishing sites (Fig. 1-3):

Figure 1 Impersonation of Trade AI

 

Figure 2 Impersonation of Baltic Pipe (most popular)

 

Figure 3 Impersonation of bank

 

Price deals

Cybercriminals offered products at competitive prices. On phishing sites, they impersonated well-know retail brands. Upon entering the site, the victim had to fill out a personal form. Then, the victim was asked to enter payment card details. All the data went into the hands of the criminals. This campaign had already been analyzed by us earlier, but now the criminals have changed the brand they are using.

 

Advert on the Facebook platform, containing a phishing page (Fig. 4-5):

Figure 4 Advertisement and a form to fill out - impersonation of the CCC store

Figure 5 Advertisement on Facebook - impersonation of 4F and Wojas stores

 

Advertisements on Bing – impersonating a bank

Cybercriminals purchased ads in the Bing search engine. They then linked these ads to a phishing site that impersonated the login page for Santander Bank Polska's online banking services. Tn this way, they were able to obtain sensitive data.

 

Advert on the BING search engine, containing a phishing page (Fig. 6):

Figure 6 Advertisement in the BING search engine

 

 

Phishing page (fig. 7):

 

Figure 7 Phishing site - impersonating Santander Bank Poland

 

Fake email – impersonating another polish bank

Cybercriminals, impersonating a Polish bank named CITI Handlowy, sent out email messages. These messages informed recipients about a rejected incoming transfer. This was a lie. The criminals wanted to encourage the victim to click on a phishing link.

 

Email message containing a phishing site (Fig. 8):

Figure 8 Email message impersonating CITI Handlowy

Fake page (fig. 9):

Figure 9 Phishing site - impersonating CITI Handlowy

 

Impersonating government websites

It's not a novelty that attackers often adapt their phishing scenarios to the ongoing situation or the timing of their campaigns. In November 2023, with the calendar year coming to an end, cybercriminals decided to also exploit the theme of tax settlements for the year 2022.

 

Cybercriminals, claiming a supposed opportunity to receive a refund for overpaid tax for the year 2022, encouraged clicking on a link. In reality, the victim was directed to a phishing site, where they were asked to enter their payment card details or choose the bank where they have accounts. If they did this, their data were captured by the criminals.

 

Email message containing a phishing site (Fig. 10):

 

Figure 10 Email message impersonating GOV

 

 

Phishing sites informing about the possibility of receiving a refund (fig. 11-13):

Figure 11 Phishing site - impersonating GOV

Figure 12 Phishing sites - tax refund 1/2

 

Figure 13 Phishing sites - tax refund 2/2

 

Fake SMS message

A well-known method for distributing phishing domains for years has been SMS messages. In November 2023, it was still one of the main methods.

Impersonating Polish Post Office

Cybercriminals conducted a well-known phishing campaign in Poland, impersonating Poczta Polska (the Polish postal service). This time, they forgot to translate the sender's name, signing off as 'Poland Post'. We described a similar phishing campaign in a report, which we encourage you to read: https://cebrf.knf.gov.pl/images/Raporty/International_phishing_campaign_EN-2.pdf

 

SMS message containing a phishing site (Fig. 14):


Figure 14 Fake SMS message impersonatin Polish Post

 

Phishing pages (fig. 15):

 

Figure 15 Phishing sites impersonating Polish Post

 

Customs fee – impersonating UPS

Cybercriminals, impersonating UPS, sent out SMS messages informing about a package subject to a customs fee of 2.99 PLN. To make the payment, recipients were instructed to click on an attached link, which in reality led to a phishing sit

 

SMS message containing a phishing site (Fig. 16):

Figure 16 Fake SMS message impersonatin UPS

 

Phishing pages (fig. 17):

Figure 17 Phishing sites impersonating UPS

 

Delivery failure, so impersonating InPost

Cybercriminals impersonated the courier company named InPost, but mistakenly signed the SMS message as Poczta Polska. They informed recipients about the need to update their address to receive a package. For the distribution of messages, they utilized the functionality of the iMessage app developed by Apple. A similar phishing campaign took place in Poland in September 2023

 

SMS message containing a phishing site (Fig. 18):

 

Figure 18 Phishing sms message - impersonating Poczta Polska and InPost

 

Phishing pages (fig. 19):

Figure 19 Phishing sites impersonating InPost

 

Impersonating Booking

In November 2023, we also analyzed a campaign impersonating Booking. The criminals sent malware (#stealer) as an attachment. Their goal was to obtain login credentials for the Booking platform.

 

How does it work?

  1. Hotel owners receive fake reservation inquiries in the form of email messages with malware.
  2. After infection, the criminals steal login data for Booking.
  3. They then create fake offers and phishing sites, deceiving hotel customers.
  4. The fake sites are sent to customers via Booking or other channels.

 

Message containing a phishing site (Fig. 20):

Figure 20 Message distributed in the campaign impersonating Booking

 

Phishing page (fig. 21):

Figure 21 Phishing sites impersonating Booking

 

People’s Theater tickets

Cybercriminals, once again impersonating the Theatre, set up a phishing site. They offered the opportunity to purchase tickets for a performance. In reality, the site aimed to steal information about card details.

Phishing pages (fig. 22-23):

Figure 22 Phishing site impersonating the Theatre 1/2

 

 

 

 

 

Figure 23 Phishing site impersonating the Theatre 2/2

 

Wolt promo codes

Cybercriminals, impersonating the company Wolt, offered discounts for Black Friday. In reality, their aim was to steal payment card information

 

Phishing pages (fig. 24-25):

 

Figure 24 Phishing site impersonating the WOLT 1/2

 

Figure 25 Phishing site impersonating the WOLT 2/2

 

Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.

That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: TwitterLinkedIn and Facebook.