Catches Of The Month: Phishing Scams For January 2020
Want to stay up to date with the latest phishing scams? Our ‘catches of the month’ feature reviews the most prominent attacks across the web, explaining how they occurred and the steps you should take to stay safe.
In our first review of 2020, we look at a new twist on a PayPal scam, and discuss data breaches at an IVF treatment facility and in the Singapore government.
1. Latest PayPal phishing scam goes for more than just your login details
Security researchers at ESET are warning people about a new scam targeting PayPal users. It begins with a standard phishing email, but victims end up handing over financial and personal details in addition to their login credentials.
The scammers’ bait is an email supposedly from PayPal informing recipients that someone has attempted to log in to their account from an unknown device:
You may well have seen legitimate emails like this before; organizations often keep track of the IP address you use when logging in to protect you from fraud.
However, a closer look at the way the email is written reveals that it’s a scam. There aren’t any obvious grammatical errors that you might expect from a phishing email, but other clues are there.
For example, the browser that the login apparently came from is “chrome” with a lowercase C. “Chrome” should be capitalized as it’s a proper name – and would in fact probably be listed as “Google Chrome”.
This mistake is a decent sign that the person who wrote the email isn’t a native English speaker – or at least certainly not someone who would be employed by PayPal to write a template email that’s supposed to be guarding against fraud.
Other clues that point towards this being a scam are the clumsily repeated “your account, your account” in the third paragraph and the misuse of the word “login”.
The last one is an especially useful clue, because it’s a tricky grammatical concept to grasp and phishing scams often use the phrase incorrectly.
Login vs log in
If you’re unsure of the scammers’ mistake, be aware that ‘login’ and ‘log in’ have different meanings.
‘Login’ is a noun that refers to the username and password you use to access your account – i.e. your login details. It can also be used as a noun to refer to the act of logging in, as in “we’ve suspected unusual login activity”.
‘Log in’, by contrast, is a phrasal verb that refers to the processes you go through to access your account – e.g. “please log in to your account”.
The scammers do a decent job in this email but still make mistakes, using the noun form ‘login’ to refer to the process by which you log in.
If you ever see an email that uses these words incorrectly, alarm bells should ring. It’s not guaranteed that you’ve received a phishing email – as we said, it’s a grammatical rule that even native speakers get wrong – but we wouldn’t expect this error in a template email.
Also look out for other suspicious things, such as the sender using an unusual email address or links to strange websites.
If you’re still not sure, do not click any links on the email. Instead, you should visit the website of the organisation purportedly sending the email by typing the address into your browser.
Once you log in, you’ll see whether there are any alerts or messages that confirm the content of the email.
The next level of the scam
Those who fall for the scam and click the attached link are redirected to a bogus website that imitates PayPal.
At this point, the scammers add an interesting element: they ask the user to enter a captcha code. These are the tests you need to perform to prove that you’re a human – such as typing the weirdly formatted numbers or clicking every square that has a picture of a car in it.
You don’t often see these in phishing scams, perhaps because it creates an extra step between users clicking the link and landing on the fraudulent page, but it gives the illusion that the page the victim is about to enter is secure.
Likewise, the web address has a green padlock next to it, which many people take as an assurance that they’re on a legitimate site. Green padlock = good and secure, right?
Wrong. The symbol simply signifies that the site has an SSL certificate, which means the information shared between your computer and the website is encrypted.
This ensures that criminal hackers can’t hijack the connection to steal information as you enter it – but that level of security means nothing if the website itself is fraudulent.
The final trick
Once on the site, users are asked to log back in to their account. This is where most phishing scams end – the criminal hacker now has your login details, which they’ll use to access your account, change your password and reset the account’s associated email address, locking you out permanently.
However, the scammers behind this attack have taken their con to the next level. They theorize that if you’re willing to hand over your login credentials, why wouldn’t you provide other information?
Victims are presented with a series of screens asking them to confirm their personal details, including their billing address, payment card details and email address.
Anyone who complies with these requests will have handed the scammers a bounty of personal information that can be used to conduct a variety of fraudulent activities – although they will generally fall into one of two categories.
The crooks will often use the information to conduct payment card fraud, either making purchases from the victim’s account or transferring funds into another account owned by the hacker.
Alternatively, they’ll sell the information on the dark web. This is a less lucrative but safer option, as they avoid the risk of being caught performing other illegal activities.
2. One of Australia’s largest IVF providers hit by phishing scam
Patients at Monash IVF started receiving strange emails towards the end of last year, seemingly related to recent medical appointments.
The emails asked recipients to open an attachment – which is unusual practice for the healthcare facility. Those who did soon realised they’d been phished, with the document infecting their device with malware.
The Monash IVF Group, which operates across Australia, confirmed the attack, saying it began with a breach of its staff email system.
It was reluctant to disclose specific details, saying that was “possible” that the attack gave the criminal hackers access to patients’ and their partners’ names, contact details, dates of birth, nationalities, occupations, financial details, medical insurance details, health information, driver’s licence and passport numbers, and medical history.
On top of this, the source of the breach – an IVF facility – creates a serious privacy issue, as many people are uncomfortable sharing the fact that they are undergoing assisted fertility treatment.
However, the Monash IVF Group downplayed the severity of the attack, insisting that the information obtained by the scammers was “mostly limited to an individual’s email address”.
It added that it had been in contact with a small number of patients who might have been directly affected.
3. Personal data of staff at Singapore’s Ministry of Defense leaked after email attack
The Singapore Armed Forces and Ministry of Defence have been hit by malware that infected their systems following a phishing attack.
The breach began at ST Logistics, a third-party vendor that both government departments use. Employees received bogus emails that contained a malicious attachment.
As soon as someone opened the file, malware ran through the organisation’s systems and gave the scammers access to a host of information.
About 2,400 employees’ full names, NRIC (National Registration Identity Card) numbers, contact details and addresses were exposed.
This incident is a timely reminder to ensure that you’re confident in the security practices of third parties. When you share information with them, you expect them to protect it, especially from relatively straightforward attacks like phishing.
Staff awareness training focused on phishing and other social engineering tricks should be a core part of organisations’ cyber security practices, and it’s up to you to ensure it’s being done.
There is no news on the level of oversight that the Singapore Armed Forces or Ministry of Defence had on ST Logistics’ cyber security measures, but you can be sure that after this incident, both departments will be playing closer attention.