In this blog post we’re going to cover several aspects of phishing trends that we’ve seen over the past three months. Phishers are always out for your personal information and are using clever ways to fool you into handing it over. By keeping a close eye on tactics and targets, we hope this look into trends will help victims more easily recognize when they’re being phished.
Let’s first look into a campaign that was targeting compromised WordPress sites.
Take it to the Bank
WordPress is a widely used content management system and this popularity no doubt contributes to the allure of attackers to find exploits and compromise websites running it. As far as phishing goes, we see WordPress sites hosting a variety of different phishing pages that change daily. We’d like to share a summary of some of the URIs being used within the URLs of these compromised sites and also shine some light on the phishing brands being impersonated.
From July through August we observed a phishing campaign posing as several Canadian banks, running on compromised wordpress sites, and with similar URIs in the URLs created by the attackers. Surprisingly, the geographic location of the visitors to these domains, as seen on our resolvers had one country in common, and it wasn’t Canada. It was the Netherlands
Common URIs seen across the compromised sites:
/wp/tax/taxb/cibc/
/wp/tax/taxb/rbc2/
/wp/taxrev/tax/tax/taxb/atb/
/wp/tax/taxb/desj/
/wp/tax/taxb/bnc/
accountConfirm.php
Indentification.php
questions.php
logging.php
The following banks were impersonated July through August:
CIBC
Royal Bank of Canada
ATB
Desjardins
BNC
This campaign looks to be using a phishing kit from the ‘’l33bo_phishers’ group. This phishing kit includes other banks such as TD Canada Trust and Scotiabank.
Phishing kit: 167f26fa03b1db4642613661b98ad29bcb10abdb84d2c29c07687fad23a42220
The websites from the beginning of this campaign appear to have taken down the phishes, but we’re still finding new compromised sites which are hosting these phish and that are using this phishing kit. This campaign still appears to be active, up to the publishing of this blog.
- A phishing page pretending to be BNC bank
Be sure to take a look at the full URLs in your browsers before entering any personal account information into an online form. Phishing actors are counting on you neglecting to critique the full URL and instead glance at keywords you recognize and view it as safe.
Now that we’re on the subject of inspecting full URLs, we’re going to talk about the Tabnabbing technique.
TAB NABIT! THEY STOLE MY PASSWORD!
Phishing actors are constantly using new methods to fool victims into giving up sensitive information. They may impersonate the IRS to acquire SSN’s, your company’s IT department to get user passwords, or a bank login to gain access to financial accounts.
The delivery methods don’t change too often, but another type of phishing is being presented to victims in an unusual way.
You know that trick you used to play on your friends when you were a kid? Like say your friend had a bowl of jelly beans and you wanted one. You’d be like “Hey! What’s that over there!?” And then when your friend turned around, you’d take a jelly bean and eat it. SNEAKY! Well this phishing technique is sort of like that. A minor difference is that instead of taking a jelly bean, you replaced the bowl of jelly beans with a username and password prompt that looked like a bowl of jelly beans. Follow? As unlikely as this scenario is at fooling anybody, the real thing is a bit more devious.
In this scenario, the attacker will post a link on a public forum or chat software, which we’ll call Tab1. When the victim clicks on the link, the website is opened in a new tab, which we will call Tab2. While you’re viewing Tab2, the domain triggers a javascript function (window.open) that somewhat covertly changes the website of Tab1 to a credential harvesting page designed to convincingly look like the page it’s posing as. Modern browsers have begun to mitigate against this, but malicious code running on a system can still pop up new browser windows that will do the similar impersonation attempts.
Phishers know that it’s best to attack you when your guard is down, and this method is so sneaky that I almost didn’t notice it at first. They say that the best defense from a phishing attack is knowledge of their methods and procedures and keeping a sharp eye, so having knowledge of this attack makes you that much less likely to be phished in the future.
Attackers also use punycode to encode internationalized domain names, and this displays a URL in your browser that VERY closely mimics the real thing, even though the characters are totally different. A recent example of a punycoded domain is, xn--denizbankas-9zba[.]com, when converted looks like denizbankasıı[.]com in the web browser. Which is a good replica of denizbank[.]com if not closely inspected. DenizBank is a large private bank in Turkey. We first resolved this domain in July. As of the publishing of this blog, it no longer resolves.
Come back next Monday to learn about the latest brands we have observed trending in phishing over the past 3 months.
Why Cisco Umbrella?
Umbrella protects users from connecting to malicious sites on the Internet and analyzes over 180 billion DNS requests daily. The sheer volume of DNS requests gives our Researchers a unique view of the Internet to better identify trends on threats, faster.
Interested in trying out Umbrella? Sign-up for a free 14 day trial today.
