Overview of selected scams - March 2024

 

We present the report on identified threats and the methods of operation by criminals for the month of March 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material. The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", fake Facebook login panels, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.

False investment schemess

A well-known but still very popular criminal scenario is fake investments. It's a scam scheme in which cybercriminals impersonate well-known individuals or institutions. They aim to persuade people to invest their money. In reality, their goal is to expose the victim to high financial losses.

Criminals still eagerly utilize deepfake technology to create deceptive materials. They use the images of well-known individuals to generate video recordings promoting supposed investments (Fig. 1-2).

Figure 1 The use of deepfake technology to create deceptive content 1/2

Figure 2 The use of deepfake technology to create deceptive content 2/2

 

False offers (both in the form of video recordings and static ads) are distributed through:

  • ads on the Facebook platform (Fig. 3),

 

Figure 3 Fake investment - ads on the Facebook platform

 

  • ads on the X (formerly Twitter) platform (Fig. 4),

Figure 4 Fake investment - ads on the X platform

 

Upon clicking on each of the previously shown links, the victim is directed to a webpage where they enter their contact information (Fig. 5). It also happens that the form is directly on Facebook.

Figure 5 False investments - phishing site

 

The data obtained by cybercriminals in this way enables them to establish contact with the manipulated person, then stealing their money. Many people still fall for this scenario, so it is very important to take actions aimed at countering it.

IMPERSONATING POLISH BANKS

Criminals regularly impersonate banks to extract information about payment cards and authentication data for online banking. They also encourage downloading malicious applications. In March 2024, criminals also utilized this method of operation.

 

Criminals publish ads on the Facebook platform, impersonating Polish banks. Under the pretext of claiming a reward or the necessity of updating an application, they attempt to phish authentication data for online banking and payment card details.

Appearance of the ads published on the Facebook platform (Fig. 6):

Figure 6 Ads impersonating polish banks

Appearance of the ads and  phishing sites (Fig. 15-17):           

 

Figure 7 Fake ads and phishing sites - impersonating polish bank

 

Fake SMS messages and phishing sites are used for cybercrime:

  • impersonating Millennium Bank (Fig. 8):

 

Figure 8 Fake SMS and phishing sites - impersonating Millennium Bank

  • impersonating ING Bank (Fig. 9):

 

Figure 9 Fake SMS and phishing site - impersonating ING Bank

 

  • impersonating BNP Paribas (Fig. 10):

 

Figure 10 Fake SMS and phishing site - impersonating BNP Paribas

 

Appearance of a phishing sites impersonating polish banks (Fig. 11-13).

 

Figure 11 Phishing sites - impersonating Pekao

Figure 12 Phishing sites - impersonating ING

Figure 13 Phishing sites - impersonating PKO

 

 "TAX REFUND CONFIRMATION", GOVERNMENT WEBSITE IMPERSONATION

Criminals, impersonating government site, they informed about a supposedly approved tax refund application and the possibility of receiving money after data verification. They encouraged clicking on a link that, in reality, led to a phishing site. In this way, the fraudsters aimed to obtain information about payment card details.

Fake email message (Fig. 14):

 

Figure 14 Fake email, source: https://twitter.com/CERT_Polska/status/1769654859664416871

Phishing site (Fig. 15):

Figure 15 Phishing site - impersonating goverment website

 

 WROCŁAW CITY CARD

Criminals set up phishing websites impersonating city of Wrocław. They informed about a supposed opportunity to purchase a personalized city card. To take advantage of the promotion, they encouraged clicking on a link. This link led to a fake website, where fraudsters tried to obtain information about the payment card (full card number, CVV code, and expiration date).

Ads of the Facebook platform (Fig. 16):

Figure 16 Fake ads od the Facebook platform

 

Phishing sites used in the described campaign (Fig. 17):

Figure 17 Phishing sites - impersonating city of Wrocław



"OVERDUE HIGHWAY TOLLS” – IMPERSONATING E-TOLL

Criminals prepared a phishing campaign and informed about a supposed necessity to pay overdue bills for highway tolls. To avoid alleged further consequences, they encouraged clicking on a link. This link led to a fake site where fraudsters tried to obtain information about the payment card.

SMS message containing a phishing site (Fig. 18):


Figure 18 Fake SMS - impersonating e-Toll

Phishing sitea (Fig. 19):

 

Figure 19 Phishing sites - impersonating e-Toll

IMPERSONATING COURIER COMPANIES

Criminals once again prepared a phishing campaign impersonating courier companies. This time, they used the image of InPost and DHL. Phishing sites were distributed through SMS messages. On the fake site, personal data and information about payment cards were solicited.

Fake SMS messages and phishing sites (Fig. 20-21):

 

Figure 20 Fake SMS and phishing sites - impersonating InPost

 

Figure 21 Fake SMS and phishing sites - impersonating DHL

 NO ACESS TO INTERNET TELEVISON

Criminals prepared a phishing campaign impersonating Netflix and HBO. By informing that the subscription had supposedly expired, they encouraged clicking on a link. On the fake site, personal data and information about payment cards were solicited.

Example SMS message impersonating Netflix (Fig. 22):

 

 

Figure 22 Fake SMS message and phishing site - impersonating Netflix

Example email message impersonating HBO (Fig. 23):

 

Figure 23 Fake email message and phishing site - impersonating HBO


"FRIENDLY REMINDER" - IMPERSONATING SPOTIFY

Criminals prepared a phishing campaign impersonating Spotify. Informing that an invoice needs to be paid, they encouraged clicking on a link contained in the email. On the fake site, personal data and information about payment cards were solicited.

Example email message and phishing site impersonating Spotify (Fig. 24):

Figure 24 Fake emial and phishing site - impersonating Spotify


Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.

That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: TwitterLinkedIn and Facebook.