NOT PROTECTIVELY MARKED PHISHING. July 2016

Similar documents
PHISHING ATTACK TARGETING UNIVERSITY STUDENTS MAY 2016

FAQ. Usually appear to be sent from official address

Bank of america report phishing

It pays to stop and think

Guide to credit card security

Phishing Activity Trends

Phishing Activity Trends Report August, 2006

The Rise of Phishing. Dave Brunswick Tumbleweed Communications Anti-Phishing Working Group

Best Practices Guide to Electronic Banking

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

How to recognize phishing s

Red ALERT Apparent Breach of an Unidentified Pharmacy Related Database

Your security on click Jobs

Phishing Activity Trends

Target Breach Overview

Anti-Phishing Working Group

IMPORTANT SECURITY INFORMATION PHISHING

REPORT. Year In Review. proofpoint.com

The 12 scams of Christmas

Phishing Activity Trends

Newcomer Finances Toolkit. Fraud. Worksheets

Webomania Solutions Pvt. Ltd. 2017

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Business Accounts. Important information. Keeping you up to date. danskebank.co.uk

Protect Yourself From. Identify Theft

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

Web Cash Fraud Prevention Best Practices

COMMON WAYS IDENTITY THEFT CAN HAPPEN:

Phishing Activity Trends Report October, 2004

Phishing Activity Trends Report August, 2005

DoD Spear-Phishing Awareness Training. Joint Task Force - Global Network Operations

CE Advanced Network Security Phishing I

Report on Spamvertising and Phishing using.hk Domain Names and McAfee Report. ccnso Meeting June 24, 2008

August 2009 Report #32

November 2009 Report #35

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Explanation of Data Element Data Element Potentially Legitimate purposes for Collection/Retention

IT Security Protecting Ourselves From Phishing Attempts. Ray Copeland Chief Information Officer (CIO)

Full Clinical Psychotherapist

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Risk Outlook Anti money Laundering and Cybercrime. Steve Wilmott and George Hawkins

Do not open attachments on s that you are not sure of.

PROTECTING YOUR BUSINESS ASSETS

FAQ: Privacy, Security, and Data Protection at Libraries

Frauds & Scams. Why is the Internet so attractive to scam artists? 2006 Internet Fraud Trends. Fake Checks. Nigerian Scam

ONLINE BANKING Frequently Asked Questions

Online Fraud and Identity Theft Guide. A Guide to Protecting Your Identity and Accounts

Phishing Activity Trends Report March, 2005

CAREERBUILDER.COM - PRIVACY POLICY

Phishing Activity Trends Report January, 2005

Contents. What we re doing to protect your accounts. Protecting yourself from the most common scams and types of fraud

CIMA Certificate BA Interactive Timetable

Financial scams. What to look for and how to avoid them.

Toolkit for March Fraud Prevention Month 2017 Senior Support. FRAUD Recognize It Reject It Report It.

Protecting your Privacy Winchester Cathedral Privacy Notice

August 2009 Report #22

FRAUDULENT TRAVEL SCAMS

Phishing Activity Trends

Personal Cybersecurity

Common Scams and Fraud. Charlottesville/Albemarle County TRIAD Group

The State of Spam A Monthly Report June Generated by Symantec Messaging and Web Security

Nigerian Telecommunications Sector

Retail/Consumer Client Internet Banking Awareness and Education Program

June 25, iremit Online Remittance Instruction Manual

Phishing: When is the Enemy

Phishing Read Behind The Lines

Security Awareness. Chapter 2 Personal Security

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

Phishing: What is it?

Custom Plugin A Solution to Phishing and Pharming Attacks

Recognizing & Protecting Against Fraud

DMARC Continuing to enable trust between brand owners and receivers

Employee Security Awareness Training

3.5 SECURITY. How can you reduce the risk of getting a virus?

CoreFirst Bank & Trust

The State of Spam A Monthly Report August Generated by Symantec Messaging and Web Security

1 of 11 10/1/ :26 AM

Proving your identity and ownership of a property

How to Catch a Thief. Trends & Technologies in the Fight Against Fraud. Rohan Langley SAS

Introduction to

Cyber Insurance: What is your bank doing to manage risk? presented by

CYBER SECURITY RESOURCE GUIDE. Cyber Fraud Overview. Best Practices and Resources. Quick Reference Guide for Employees. Cyber Security Checklist

Security Overview. Joseph Balberde North Country Community Mental Health Information Technology Director

Octopus Online Service Safety Guide

FREQUENTLY ASKED QUESTIONS

Scams and Schemes LESSON PLAN UNIT 1. Essential Question What is identity theft, and how can you protect yourself from it?

Session Booklet Transacting Online

Phishing Activity Trends Report November, 2004

Paid-for antivirus software

For the mobile people of. Oulu

N O R T H C AROLINA U T I L I T I E S C O M M I S S I O N. Regulatory Fee Reporting. User Guide

PRIVACY NOTICE ST BENEDICT S HOSPICE SUNDERLAND, LTD

TIPS TO AVOID PHISHING SCAMS

But it Was Such a Little Phish February 2016 Webinar

Procedure for Online Bill Payment & Registration of Consumers through

Manually Create Phishing Page For Facebook 2014

June 2012 First Data PCI RAPID COMPLY SM Solution

Create strong passwords

SPRING 2018 HERSHEYSMILL FRAUD PREVENTION NEWSLETTER

Who We Are! Natalie Timpone

Transcription:

- PHISHING July 2016 1

Introduction: The purpose of this document is to provide an analysis of the most prevalent trends and characteristics of phishing campaigns in the UK in July 2016. The analysis is based on the information reported to Action Fraud via the Attempted Scams or Viruses (ASOV) Reporting Tool, as well as on the data obtained from the NFIB phishing inbox, which consists of phishing emails reported by members of the public. This report is a sanitised version of the protectively marked document. The names of companies being subject of analysis in this document have been replaced by general naming which reflects a type of services the respective companies provide or a type of industry they belong to. Where the name of the company is contained within the email address or URL link, it has been replaced with *** symbol. PHISHING is the attempt to acquire sensitive information (e.g. usernames, passwords and credit card details) or steal money by masquerading as a trustworthy entity in an electronic communication such as email, pop-up message, phone call or text message. Cybercriminals often use social engineering techniques to trick the recipient into handing over their personal information, transfer money or even download malicious software onto their device. Although some phishing s can be poorly designed and are clearly fake, more determined criminals employ various methods to make them appear as genuine. These techniques can include: Identifying the most effective phishing hooks to get the highest click-through rate. Enclosing genuine logos and other identifying information of legitimate organisations in the message. Providing a mixture of legitimate and malicious hyperlinks to websites in the message e.g. including authentic links to privacy policy and terms of service information of a genuine organisation to make the email appear genuine. Spoofing the URL links of genuine websites The most common tricks are the use of subdomains and misspelled URLs as well as concealing of malicious URLs under what appears to be a link to a genuine website which can be easily revealed upon hovering the mouse over it. More sophisticated techniques rely on homograph spoofing which allows for URLs created using different logical characters to read exactly like a trusted domain. Some phishing s use JavaScript to place a picture of a legitimate URL over a browser s address bar. The URL revealed by hovering over an embedded link can also be changed by using JavaScript. 1 WARNING: THIS DOCUMENT CONTAINS LINKS TO MALICIOUS WEBSITES AND EMAIL ADDRESSES; DO NOT CLICK ON ANY HYPERLINKS CONTAINED IN THIS DOCUMENT. 1 http://searchsecurity.techtarget.com/definition/phishing 2

Section 1: Action Fraud: Attempted Scams or Viruses (ASOV) Reporting Tool The ASOV reporting tool, which is operated by Action Fraud, allows members of the public to report instances of an attempted phishing, where someone has been approached with a message but has not suffered a financial loss as a result and has not exposed their personal details to a fraudster. 1.1 Volume of Phishing Reports Received via the ASOV reporting tool by members of the public, which is a 61.2% increase compared to July 2015 With 435 reports made per day, July 2016 marked the first period since at least November 2013, in which the reporting figures have reached a stable level for the third consecutive month. In July 2016, there were a total of 13,515 phishing reports submitted Number of reports received per day: July 2015 - July 2016 600 548 500 468 440 430 435 400 382 300 200 100 270 205 181 210 315 270 317 0 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 3

1.2 Communication Channels for Phishing Although the most commonly reported communication channel used for phishing distribution continued to be email, there has been a drop in reporting in relation to this method of communication from 78% in April 2016, 61.3% in May 2016 and 60.1% in June 2016 to 59.9% in July 2016. The second most commonly reported communication method was a landline phone call declared in 23.6% of all reports. This is an increase by 1.5 percentage points compared to June 2016, 3.4 percentage points as compared to May 2016 and 13.2 percentage points more than in April 2016. 1.3 Type of Phishing Request Similarly to the previous months, the most commonly reported phishing request was to click on a potentially malicious hyperlink contained in the message (30.8%). The second most reported type of request was to reply to the phishing message (15.6%), followed by the requests to provide personal information (15.5%) and online banking/bank card details by would be victims (10.8%). The reported figures largely reflect the trends noted in the previous months with an exception of April 2016, which saw higher than usual number of reports in relation to click on the weblink and money transfer type of request. In contrast, the reporting figure for text message has been fluctuating in the recent months between 6.3% in April, 11.3% in May and 10.5% in June 2016 compared to 8.8% in July 2016. Email 59.9% Click weblink 30.8% Text Message 8.8% Landline phone call 23.6% Email 59.9% Landline phone call 23.6% Text message 8.8% Mobile phone call 2.4% Other 1.9% Post 1.5% Social media 1.3% Popup message 0.5% Instant messaging 0.2% Banking details 10.8% Other 12.6% Personal information 15.5% Weblink 30.8% Reply 15.6% Reply 15.6% Provide personal information 15.5% Other 12.6% Provide banking details 10.8% Transfer money 7.9% Open attachment 3.7% Make contact 3.2% 4

1.4 Phishing Hooks Phishing hook is a social engineering method which is used by fraudsters to masquerade as a trustworthy entity in communication, in order to trick the potential victim to follow an instruction contained in the message for malicious reasons. Throughout July 2016, the most prevalent phishing hooks identified from the reported data continued to be Government body 1 and various retail banks. The most popular names reported within the banking hooks category were three high street banks, which were declared in 37.7% (Bank 1), 22.4% (Bank 2) and 16% (Bank 3) of reports. These banks have also been the top three banking hooks in the previous months. Phishing hooks: July 2016 3500 3000 2500 2000 1500 1000 500 0 3194 Government body 1 1568 985 780 Banks IT Companies Online payments sevice provider 1 532 484 409 Mobile phone providers Lottery Other government organisations 268 163 86 73 69 56 32 31 13 Job offers Online market place 1 Online market place 2 Charities Social media platform 1 Other Government social media body 2 platforms Medical Loan provider 1 'Banking hooks': July 2016 350 323 300 250 192 200 137 150 100 66 50 40 50 13 10 8 6 7 2 1 1 1 0 Bank 1 Bank 2 Bank 3 Bank 4 Bank 5 Bank 6 Bank 7 Bank 8 Bank 9 Bank 10 Bank 11 Bank 12 Bank 13 Bank 14 Bank 15 5

Within the Other phishing hooks category 2, the most reported individual hook was Phone and broadband service provider 1. There has been an increase in reporting of High street retailer 1 as a phishing hook from 68 reports in April 2016, 55 in May 2016 and 96 in June 2016 to 224 reports in July 2016. Thereby, this retailer became the top reported hook within the retail sector category, by outstripping other retailer named here as Supermarket 1 which has been the most prevalent supermarket/retail hook in the last quarter. The recent increase in misuse of well known retailers names is a result of an expansion of phishing campaigns claiming to offer complimentary gift cards and shopping vouchers from major UK stores. In July 2016, there has also been a new occurrence of a phishing in circulation which claimed to originate from Utility provider 1, with 79 reports being made to the ASOV tool by members of the public. The campaign purported to relate to an outstanding utility bill and called for payment through a malicious link. Majority of emails originated from the same email address ***@otherserver.com (see section 2.2) 3. Top 10 'Other hooks': July 2016 400 300 307 200 100 224 203 195 162 117 83 79 58 54 0 Phone and broadband provider 1 High street retailer 1 Phone and broadband provider 2 Online entertainment store 1 Supermarket 1 Register of telephone numbers 1 Computer software company 1 Utility provider 1 Online market place 3 Money transfer provider 1 2 It should be noted that the level of analysis of the Other phishing hooks is limited due to the presence of free text fields in relation this category within the ASOV reporting tool. Although the best possible effort has been made to calculate and identify trends in this category, the presented figures may be understated. 3 The possible discrepancy in the number of reports relating to the same phishing campaign which are presented in Section 1 and Section 2 of this analysis is caused by the fact that both reporting systems the ASOV tool and the NFIB Phishing Inbox - are independent of each other. 6

Section 2: NFIB Phishing Inbox The findings presented in Section 2 are based on the analysis of over 28,000 phishing emails forwarded to the NFIB phishing inbox during the period of 1 st to 31 st July by members of the public. 4 2.1 Subject Headings of Phishing Campaigns Top 15 The table represents the Top 15 most prevalent message subject headings which appeared in exactly the same form in the phishing emails reported in July 2016. The most commonly reported phishing with the same subject line purported to originate from Online entertainment store 1 and contained bogus information about an alleged purchase made through the online store. One third of all subject lines identified within the Top 15, in total 517 emails, related to the, which is the highest proportion noted to date. The second most common message subject line referred to free shopping vouchers offering from three well known UK retailers, which reflects the trend from the previous months. 4 Once the reporting person submits their online ASOV form to Action Fraud, they are directed to forward the phishing email to a dedicated phishing inbox of HMRC, DWP, all major banks, PayPal, ebay, Amazon, Facebook or Student Loans Company if the message purports to be originating from one of these organisations, or to the NFIB phishing inbox in all other cases. Message title Number of emails reported 1 Your receipt No... 132 2 Order Receipt No... 128 3 Your receipt from *** 102 4 Payment Approved! 100 5 *** prize offer Open immediately 90 6 Your *** order receipt 83 Phishing hook Online entertainment store 1 Online entertainment store 1 Online entertainment store 1 Money transfer service provider 1 High street retailer 1 Online entertainment store 1 7 Hi, you can get our Grand Prize this week! 80 Supermarket 1 8 Re-activate your voucher :) 77 9 Your invoice from *** 72 10 Account Closure *** 70 High street retailer 2 Online entertainment store 1 Bank 1 online transaction 11 We have an important message for you! 66 Bank 1 account 12 Your account has been closed 63 Bank 2 account 13 14 You forgot to download your *** Voucher Good News!...Your Email Has Been Selected as Winner 15 Your voucher has just expired 58 60 High street retailer 1 58 Lottery High street retailer 2 7

2.2 Email addresses of Phishing Scammers Top 15 Email address spoofing to impersonate well known companies continued to be the method of choice in July s phishing campaigns, with email addresses appearing to be from Online entertainment store 1 and Money transfer service provider 1 being the most popular. Utility provider 1 has been identified as a new target for email spoofing to perpetrate a phishing in their name. A total of 86 fake utility bill emails which appeared to originate from ***@otherserver.com were reported in July 2016 by different members of the public, who were called by their name and surname in the email. The content and format of the emails were identical, but variations in the subject line were noted such as (Name and Surname) Your gas & electricity bill, (Name and Surname) Your July electricity bill and (Name and Surname) Pay your July bill Online. The use of a personal greeting in the phishing campaign impersonating Utility provider 1 appears to be a result of a data leak. It is unlikely that the personal details were obtained directly from that company s database as many members of the public stated that they in fact deal with a different utility provider. Message title Number of emails reported 1 ***@otherserver.com 86 2 ***02@citromail.hu 71 3 notice@***.org 68 4 ***@bt.net 66 5 info@***.com 64 6 ID4PR1X2@mobi.***.com 59 Phishing campaign theme / Phishing hook Utility provider 1 bill statement Money transfer service provider 1 inheritance payment International fund beneficiary Bank 1 suspicious online activity Money transfer service provider 1 inheritance payment Online entertainment store 1 receipt 7 careers@***.co.uk 54 Employment offer 8 luann.***@colostate.edu 51 Donation beneficiary 9 support@***.***.com 46 10 *eurorafle@btinternet.com* 33 Lottery 11 ***@***.co.uk* 31 12 *dpmdvpd@mxip1a.gatech.edu* 29 13 msa@communication.***.com 29 14 service@***.co.uk 29 Online entertainment store 1 receipt Online payments service provider 1 and Phone and broadband provider 2 account Online entertainment store 1 receipt Bank 1 and Computer software account update Online payments service provider 1 transaction 15 *dcmartin1@cox.net* 28 Donation beneficiary 8

2.3 Malicious URLs Top 15 The table represents the Top 15 most prevalent URLs which appeared, in exactly the same form, in the phishing emails forwarded to the NFIB phishing inbox by the public in July 2016. The URL h*tp://www.sp-miescisko.org.pl//go.php belonging to the official website of a primary school in Poland, has been the most commonly utilised URL identified in the dataset with a total of 46 Bank 1 fake account verification emails reported. 12 out of 15 URLs identified in the dataset were found to belong to legitimate domains which may have been compromised to host a malicious content. Overall, the most prevalent URLs identified in the Top 15 set were utilised in those phishing campaigns which impersonated the companies named here as Bank 1, Online payments provider 1 and Online entertainment store 1. Message title Number of emails reported Phishing campaign theme/ Phishing hook 1 h*tp://www.sp-miescisko.org.pl//go.php 46 Bank 1 account 2 h*tp://lastablasmias.com/?im9mzj03ntci 29 3 h*tp://difusoragoiania.com.br/121/hhaa.ht ml 4 h*tp://latrastiendalibros.com/lj/index.htm 27 5 h*tp://www.praulaiglesia.com/ln 23 6 h*tp://www.***.co.uk-online-customerspersonal-support-privacypolicy.fletcherfarmfoundation.org/wp-includes/ 7 h*tp://rdi21redi.com/newsfeed/ 21 8 h*tp://gekkoanimatie.be/membership.php 21 9 h*tp://ajanimalservices.co.uk/sod 20 Various s including free gift cards 28 Bank 1 account Online payments service provider 1 account Online payments service provider 1 account 22 Bank 1 account Online entertainment store 1 purchase Video on demand service provider 1 membership Government organisation 1 tax refund 10 h*tp://daizeymay.co.uk/sxx 19 Bank 1 account 11 h*tp://ipx313.com/newsfeed/ 18 Online entertainment store 1 purchase purchase 12 h*tp://www.laflandre.be/config/***/ 17 Online payments service provider 1 account 13 h*tp://chinchillasite.be/req.php 16 Phone and broadband provider 2 refund 14 h*tp://www.chascojeans.pt/b/ 16 Online payments service provider 1 account 15 h*tp://www.savirow.com/data/backup/ww w/empty/bice1.htm 16 Government organisation 1 tax refund 9

Copyright City of London Police 2016 NFIB Disclaimer: While every effort is made to ensure the accuracy of the information or material contained in this document, it is provided in good faith on the basis that the Commissioner, the City of London Police and its police officers and staff accept no responsibility for the veracity or accuracy of the information or material provided and accept no liability for any loss, damage, cost or expense of whatever kind arising directly or indirectly from or in connection with the use by any person, whomsoever, of any information or material herein. The quality of the information and material contained in this document is only as good as the information and materials supplied to the City of London Police. Should you or your police force hold information, which corroborates, enhances or matches or contradicts or casts doubt upon any content published in this document, please contact the City of London Police NFIB by return. Any use of the information or other material contained in this document by you signifies agreement by you to these conditions. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback