• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Threats

Today’s Catch: Phishing Roundup – Part 1

By Andrea Kaiser
Posted on August 26, 2019
Updated on March 25, 2020

Share

Facebook0Tweet0LinkedIn0

In this blog post we’re going to cover several aspects of phishing trends that we’ve seen over the past three months. Phishers are always out for your personal information and are using clever ways to fool you into handing it over. By keeping a close eye on tactics and targets, we hope this look into trends will help victims more easily recognize when they’re being phished.

Let’s first look into a campaign that was targeting compromised WordPress sites.

Take it to the Bank

WordPress is a widely used content management system and this popularity no doubt contributes to the allure of attackers to find exploits and compromise websites running it. As far as phishing goes, we see WordPress sites hosting  a variety of different phishing pages that change daily. We’d like to share a summary of some of the URIs being used within the URLs of these compromised sites and also shine some light on the phishing brands being impersonated.

From July through August we observed a phishing campaign posing as several Canadian banks, running on compromised wordpress sites, and with similar URIs in the URLs created by the attackers. Surprisingly, the geographic location of the visitors  to these domains, as seen on our resolvers had one country in common, and it wasn’t Canada. It was the Netherlands

Common URIs seen across the compromised sites:
/wp/tax/taxb/cibc/
/wp/tax/taxb/rbc2/
/wp/taxrev/tax/tax/taxb/atb/
/wp/tax/taxb/desj/
/wp/tax/taxb/bnc/
accountConfirm.php
Indentification.php
questions.php
logging.php

The following banks were impersonated July through August:
CIBC
Royal Bank of Canada
ATB
Desjardins
BNC

This campaign looks to be using a phishing kit from the ‘’l33bo_phishers’ group. This phishing kit includes other banks such as TD Canada Trust and Scotiabank.

Phishing kit: 167f26fa03b1db4642613661b98ad29bcb10abdb84d2c29c07687fad23a42220

The websites from the beginning of this campaign appear to have taken down the phishes, but we’re still finding new compromised sites which are hosting these phish and that are using this phishing kit. This campaign still appears to be active, up to the publishing of this blog.

A phishing page pretending to be BNC bank

Be sure to take a look at the full URLs in your browsers before entering any personal account information into an online form. Phishing actors are counting on you neglecting to critique the full URL and instead glance at keywords you recognize and view it as safe.

Now that we’re on the subject of inspecting full URLs, we’re going to talk about the Tabnabbing technique.

TAB NABIT! THEY STOLE MY PASSWORD!

Phishing actors are constantly using new methods to fool victims into giving up sensitive information. They may impersonate the IRS to acquire SSN’s, your company’s IT department to get user passwords, or a bank login to gain access to financial accounts.
The delivery methods don’t change too often, but another type of phishing is being presented to victims in an unusual way.

You know that trick you used to play on your friends when you were a kid? Like say your friend had a bowl of jelly beans and you wanted one. You’d be like “Hey! What’s that over there!?” And then when your friend turned around, you’d take a jelly bean and eat it. SNEAKY! Well this phishing technique is sort of like that. A minor difference is that instead of taking a jelly bean, you replaced the bowl of jelly beans with a username and password prompt that looked like a bowl of jelly beans. Follow? As unlikely as this scenario is at fooling anybody, the real thing is a bit more devious.

In this scenario, the attacker will post a link on a public forum or chat software, which we’ll call Tab1. When the victim clicks on the link, the website is opened in a new tab, which we will call Tab2. While you’re viewing Tab2, the domain triggers a javascript function (window.open) that somewhat covertly changes the website of Tab1 to a credential harvesting page designed to convincingly look like the page it’s posing as. Modern browsers have begun to mitigate against this, but malicious code running on a system can still pop up new browser windows that will do the similar impersonation attempts.

Phishers know that it’s best to attack you when your guard is down, and this method is so sneaky that I almost didn’t notice it at first. They say that the best defense from a phishing attack is knowledge of their methods and procedures and keeping a sharp eye, so having knowledge of this attack makes you that much less likely to be phished in the future.

Attackers also use punycode to encode internationalized domain names, and this displays a URL in your browser that VERY closely mimics the real thing, even though the characters are totally different. A recent example of a punycoded domain is, xn--denizbankas-9zba[.]com, when converted looks like denizbankasıı[.]com in the web browser. Which is a good replica of denizbank[.]com if not closely inspected. DenizBank is a large private bank in Turkey. We first resolved this domain in July. As of the publishing of this blog, it no longer resolves.

Come back next Monday to learn about the latest brands we have observed trending in phishing over the past 3 months.

Why Cisco Umbrella?

Umbrella protects users from connecting to malicious sites on the Internet and analyzes over 180 billion DNS requests daily. The sheer volume of DNS requests gives our Researchers a unique view of the Internet to better identify trends on threats, faster.

Interested in trying out Umbrella? Sign-up for a free 14 day trial today.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella