Cyberworld on Rewind Mode: New Phishing Attack Stealing Passwords Using Old Tricks

The phishing world has been on rewind mode as old tactics are making periodical comebacks; using an old trick, a new phishing campaign is attempting to steal sensitive information from users like their login credentials and payment details and a lucrative claim of refunding a tax which can only be claimed online is being made to lure the gullible.
The threat executes with a message that appears to be the tax office of UK government, HMRC, and users targeted are informed of being due on a tax refund of £542.94 “directly” onto their credit card.

Referring to the scam as uncovered by Malwarebytes, victims were made to debate with their conscience as a new piece of information drapes the screen telling that the link to the “customer portal” expires on the same day the message is received – as the haste and consequently the pressure multiplies, victims, supposedly and expectedly panics which enslave their rationality and they are successfully tricked into believing that what’s slipping from their grip is a handsome sum.

The dire straits of formatting, structuring and disguising the scam and associated components explain how little effort has been deposited by the criminals while constructing a counterfeit HMRC website and substantially veiling the attack.

A counterfeit Outlook login page greets the users who clicked through to the ‘portal’, where they are required to fill login details to proceed, i.e., the username and the password, which is basically the timing and spot where the attack is based.  

Once the email and password has been provided, victims are redirected to a counterfeit ‘refund’ website where sits empty boxes vying for the sensitive data – ‘Full name’, ‘Address’, ‘Phone Number’, ‘Date of Birth’, ‘Mother’s Maiden Name’ and ‘Full Credit Card Details’ and the security code.

The haunting quality of the attack is based in its multifacetedness- which goes far beyond than acquiring bank details and ranges from a potential access to other accounts to vast amounts of personal data and records of the victims that lay vulnerable to identity theft and fraud.

In order to mitigate the losses and to equip consciences of the users to sidestep the same tempting debate that may arise in the future, HMRC states that it will never offer a repayment or ask for personal information via email.

A lead malware intelligence analyst at Malwarebytes, Chris Boyd, told ZDNet, “These attacks can afford to be crude, as the main pressure point is the temptation of an easy cash windfall tied to a tight deadline. Not knowing that HMRC don’t issue refund notifications in this manner would also contribute to people submitting details,”

Although, the aforementioned attack appears elementary on designing and strength fronts but the amounts of time invested by the criminals in distributing the emails gestures towards the scam being anything but futile.

Phishing as an effective exploitative measure has become pervasive and gained an international prevalence, referencing a recent report by the US Department of Justice, it was deduced that majority of cyber attacks in recent years had a simple phishing email at the start.

Leave a Reply