• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Threats

Today’s Catch: Phishing Roundup – Part 1

Author avatar of Andrea KaiserAndrea Kaiser
Updated — August 14, 2023 • 4 minute read
View blog >

In this blog post we’re going to cover several aspects of phishing trends that we’ve seen over the past three months. Phishers are always out for your personal information and are using clever ways to fool you into handing it over. By keeping a close eye on tactics and targets, we hope this look into trends will help victims more easily recognize when they’re being phished.

Let’s first look into a campaign that was targeting compromised WordPress sites.

Take it to the Bank

WordPress is a widely used content management system and this popularity no doubt contributes to the allure of attackers to find exploits and compromise websites running it. As far as phishing goes, we see WordPress sites hosting  a variety of different phishing pages that change daily. We’d like to share a summary of some of the URIs being used within the URLs of these compromised sites and also shine some light on the phishing brands being impersonated.

From July through August we observed a phishing campaign posing as several Canadian banks, running on compromised wordpress sites, and with similar URIs in the URLs created by the attackers. Surprisingly, the geographic location of the visitors  to these domains, as seen on our resolvers had one country in common, and it wasn’t Canada. It was the Netherlands.

Common URIs seen across the compromised sites:
/wp/tax/taxb/cibc/
/wp/tax/taxb/rbc2/
/wp/taxrev/tax/tax/taxb/atb/
/wp/tax/taxb/desj/
/wp/tax/taxb/bnc/
accountConfirm.php
Indentification.php
questions.php
logging.php

The following banks were impersonated July through August:
CIBC
Royal Bank of Canada
ATB
Desjardins
BNC

This campaign looks to be using a phishing kit from the ‘’l33bo_phishers’ group. This phishing kit includes other banks such as TD Canada Trust and Scotiabank.

Phishing kit: 167f26fa03b1db4642613661b98ad29bcb10abdb84d2c29c07687fad23a42220

The websites from the beginning of this campaign appear to have taken down the phishes, but we’re still finding new compromised sites which are hosting these phish and that are using this phishing kit. This campaign still appears to be active, up to the publishing of this blog.

Screen capture of a banking information form
A phishing page pretending to be BNC bank

Be sure to take a look at the full URLs in your browsers before entering any personal account information into an online form. Phishing actors are counting on you neglecting to critique the full URL and instead glance at keywords you recognize and view it as safe.

Now that we’re on the subject of inspecting full URLs, we’re going to talk about the Tabnabbing technique.

TAB NABIT! THEY STOLE MY PASSWORD!

Phishing actors are constantly using new methods to fool victims into giving up sensitive information. They may impersonate the IRS to acquire SSN’s, your company’s IT department to get user passwords, or a bank login to gain access to financial accounts.

The delivery methods don’t change too often, but another type of phishing is being presented to victims in an unusual way.

You know that trick you used to play on your friends when you were a kid? Like say your friend had a bowl of jelly beans and you wanted one. You’d be like “Hey! What’s that over there!?” And then when your friend turned around, you’d take a jelly bean and eat it. SNEAKY! Well this phishing technique is sort of like that. A minor difference is that instead of taking a jelly bean, you replaced the bowl of jelly beans with a username and password prompt that looked like a bowl of jelly beans. Follow? As unlikely as this scenario is at fooling anybody, the real thing is a bit more devious.

In this scenario, the attacker will post a link on a public forum or chat software, which we’ll call Tab1. When the victim clicks on the link, the website is opened in a new tab, which we will call Tab2. While you’re viewing Tab2, the domain triggers a javascript function (window.open) that somewhat covertly changes the website of Tab1 to a credential harvesting page designed to convincingly look like the page it’s posing as. Modern browsers have begun to mitigate against this, but malicious code running on a system can still pop up new browser windows that will do the similar impersonation attempts.

Phishers know that it’s best to attack you when your guard is down, and this method is so sneaky that I almost didn’t notice it at first. They say that the best defense from a phishing attack is knowledge of their methods and procedures and keeping a sharp eye, so having knowledge of this attack makes you that much less likely to be phished in the future.

Attackers also use punycode to encode internationalized domain names, and this displays a URL in your browser that VERY closely mimics the real thing, even though the characters are totally different. A recent example of a punycoded domain is, xn--denizbankas-9zba[.]com, when converted looks like denizbankasıı[.]com in the web browser. Which is a good replica of denizbank[.]com if not closely inspected. DenizBank is a large private bank in Turkey. We first resolved this domain in July. As of the publishing of this blog, it no longer resolves.

Come back next Monday to learn about the latest brands we have observed trending in phishing over the past 3 months.

Why Cisco Umbrella?

Umbrella protects users from connecting to malicious sites on the Internet and analyzes over 180 billion DNS requests daily. The sheer volume of DNS requests gives our Researchers a unique view of the Internet to better identify trends on threats, faster.

Interested in trying out Umbrella? Sign-up for a free 14 day trial today.

Phishing actors are counting on you neglecting to critique the full URL and instead glance at keywords you recognize and view it as safe.

Post this quote

Additional Resources

  • Phishing for Dummies Ebook: Discover real risks of phishing

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella