PROTECT - INTELLIGENCE 1 Phishing March 2016
PROTECT - INTELLIGENCE
1
Phishing March 2016
PROTECT - INTELLIGENCE
2
Introduction: The purpose of this document is to provide an analysis of the most prevalent trends and characteristics of phishing campaigns in the UK in March 2016. The
analysis is based on the information reported to Action Fraud via the Attempted Scams or Viruses (ASOV) Reporting Tool as well as on the data obtained
from the NFIB phishing inbox which consist of phishing emails reported by members of the public.
Phishing is the attempt to acquire sensitive information (e.g. usernames, passwords and credit card details) or steal money by masquerading as a
trustworthy entity in an electronic communication such as email, pop-up message, phone call or text message. Cybercriminals often use social engineering
techniques to trick the recipient into handing over their personal information, transfer money or even download malicious software onto their device.
Although some phishing scams can be poorly designed and are clearly fake, more determined criminals employ various techniques to make them appear as
genuine. These techniques can include:
Identifying the most effective phishing ‘hooks’ to use in the message to get the highest click-through rate.
Including genuine logos and other identifying information of legitimate organisations in the message.
Providing a mixture of legitimate and malicious hyperlinks to websites in the message – e.g. including authentic links to privacy policy and terms of
service information of genuine organisation. These authentic links are mixed in with links to a fake phishing website in order to make the spoof site
appear more realistic.
Spoofing the URL links of genuine websites – The most common tricks are the use of sub-domains and misspelled URLs as well as hiding malicious
URLs under what appears to be a link to genuine website which can be easily revealed upon hovering the mouse over it. More sophisticated
techniques relay on homograph spoofing which allows for URLs created using different logical characters to read exactly like a trusted domain.
Some phishing scams use JavaScript to place a picture of a legitimate URL over a browser’s address bar. The URL revealed by hovering over an
embedded link can also be changed by using JavaScript.1
WARNING: THIS DOCUMENT MAY CONTAIN LINKS TO MALICIOUS WEBSITES OR EMAIL ADDRESSES, DO NOT CLICK ON
ANY HYPERLINKS CONTAINED IN THIS DOCUMENT.
1 http://searchsecurity.techtarget.com/definition/phishing
PROTECT - INTELLIGENCE
3
1. Action Fraud: Attempted Scams or Viruses (ASOV) Reporting Tool
The ASOV reporting tool, which is operated by Action Fraud, allows members of the public to report instances of phishing where someone has been
approached with a scam message (via email/text/or phone) but has not suffered a financial loss as a result of it and has not exposed their personal details
to a scammer. The analysis in this section is based on data received by Action Fraud in the month of February 2016.
1.1 Volume of Phishing Reports Received
During the month of March 2016 there were a total of 9840 phishing reports made to Action Fraud via the ASOV reporting tool. This is on average 317
reports made per day – a 24% increase compared to March 2015 and a 32% decrease as compared to February 2016, when the reporting level was
exceptionally high.
276
232
255 299
270
205
181
382
210
315
270
468
317
0
100
200
300
400
500
Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16
Average Number of Phishing Reports Received per Day: March 2015 - March 2016
PROTECT - INTELLIGENCE
4
1.2 Communication Channels for Phishing
The analysis of phishing reports received during March 2016 identified that, similarly to previous months, the most common communication channel used
for distribution of phishing scams was via email (73.5%) followed by landline phone calls (13%) and text message (6.4%).
Email 73.5%
Landline Phone
Call 13%
Text Message
6.4%
Contact Channels for Phishing: March 2016
Email 73.5%
Landline Phone Call 13.0%
Text Message 6.4%
Mobie Phone Call 2.1%
Other 2.1%
Post 1.4%
Social Media 1.0%
Popup Message 0.5%
Instant Messaging 0.2%
PROTECT - INTELLIGENCE
5
1.3 Phishing ‘Hooks’ Phishing ‘hook’ is a social engineering method which is used to masquerade as a trustworthy entity in communication in order to trick the potential victim
to follow an instruction or request contained in the message for malicious reasons. Throughout March 2016, the most prevalent phishing ‘hooks’ identified
in the reported data continued to be within ‘Other hooks’ category, followed by ‘hooks’ which referred to HM Revenue and Customs (HMRC) and retail
banks. The phishing hooks impersonating banks most commonly referred to NatWest, Tesco Bank and Lloyds TSB.
3470
2447
1319
556 538 426 340 272 151 88 77 60 36 27 23 6 4 0
1000
2000
3000
4000
Other HMRC Bank IT Company Paypal Government Agency
Lottery Mobile Job Offers Amazon Ebay Medical Social Media Facebook Charity DWP Student Loan
Company
Phishing Hooks: March 2016
132 113
97 92
51 49 39
21 13 2 2 2 1
0
40
80
120
160
NatWest Tesco Bank Lloyds TSB Santander Barclays HSBC Nationwide Halifax Royal Bank of Scotland
Bank of Scotland Capital 1 Citi First Active England
Scotland Wales
Banking 'hooks': March 2016
PROTECT - INTELLIGENCE
6
The analysis of the ‘Other phishing hooks’ shows that, as in the previous months, the most reported hook in this category was TalkTalk, followed by
Apple/iTunes and BT.2
2 It should be noted that the level of analysis of the ‘Other phishing hooks’ is limited due to the presence of free text fields in relation this category within the ASOV reporting tool. Although
the best possible effort has been made to calculate and identify the trends in this category, the figures presented below may be understated.
208
122 118 92
49 31 30 28 21 21
0
100
200
300
Talk Talk Apple / iTunes BT Telephone Preference
Service
Virgin Media Gumtree Argos DHL DVSA Google
Top 10 Other Phishing Hooks: March 2016
PROTECT - INTELLIGENCE
7
1.4 Type of Phishing Request Similarly to the previous months, nearly one third of all phishing scams reported to Action Fraud via the ASOV tool during March 2016 contained a
potentially malicious hyperlink which upon clicking could install malware onto the victim’s computer or trick them into providing sensitive information. The
second most common type of request was to provide personal information details (15.5%), followed by a request to reply to a scam message (15.1%) and a
request to provide banking credentials (11.8%).
Weblink 30.8%
Personal Information
15.5%
Reply 15.1%
Banking Details 11.8%
9.0%
8.7%
6.7% 2.4%
Type of Phishing Request: March 2016
Click weblink 30.8%
Provide personal information 15.5%
Reply to the message 15.1%
Provide banking details 11.8%
Transfer money 9.0%
Other 8.7%
Open attachment 6.7%
Make contact 2.4%
PROTECT - INTELLIGENCE
8
2. NFIB Phishing Inbox
Once the reporting person submits their online ASOV form to Action Fraud, they are directed to forward the phishing email to a dedicated phishing inbox of
HMRC, DWP, all major banks, PayPal, eBay, Amazon, Facebook or Student Loans Company if the scam message purports to be originating from one of these
organisations, or to the NFIB phishing inbox in all other cases. The findings presented below are based on the analysis of over 22,000 phishing emails
reported to the NFIB phishing inbox during the period of 1st to 31st March 2016.
2.1.1. Subject Headings of Phishing Campaigns – Top 15
The below table represents the Top 15 most prevalent subject headings which appeared, in exactly the same form, in the phishing emails forwarded to the
NFIB phishing inbox by members of the public during March 2016. The analysis show that the methods of social engineering applied in the subject line of a
bogus email can vary from incentive/free gift offering to a more manipulative statement such as ‘Order Receipt’ or ‘Tax Return Notification.
Message title Number of
emails reported
1 Order Receipt No. (Apple/iTunes) 87
2 HMRC Refund Confirmation 77
3 We need your confirmation for this ALDI surprise treat 71
4 You forgot to print your voucher 66
5 Your Argos card is ready 59
6 We have a GIFT at Argos for you 58
7 We have an early Easter treat for you at ALDI 56
8 2 hours left to confirm your gift surprise. You will love it 52
9 Print your voucher 44
10 Select your Argos gift card now before it expires 42
11 Tax Return Notification 40
12 Your account has been closed 38
13 After serious thoughts, my decision 37
14 You Have Been Chosen... 37
15 AOL Team 36
PROTECT - INTELLIGENCE
9
2.1.2. Indicators of Compromise - ‘Order Receipt No.’ Phishing Campaign
In March 2016, the most commonly reported phishing campaign was a notification purporting to be from Apple, which informed about a recent Netflix
monthly subscription or movie download purchased via somebody’s iTunes account. The analysis of the URL links contained in 87 emails reported to NFIB
phishing inbox indicate that a combination of legitimate as well as malicious domains were used to perpetrate this scam. 17 legitimate websites belonging
to businesses in Australia were found to be botnets hosting the phishing content, potentially as a result of a compromise against one web-hosting server
operating within IP range 116.0.16.0 - 116.0.23.255. One domain belonging to the UK business was also found to be acting as a host for this phishing
campaign. A further seven domains which were registered in March 2016 were identified as being set up purely for malicious reasons.
Domain name Observables
1 h*tp://europaconservatories.co.uk This domain belongs to legitimate UK business.
2 h*tp://gusfrabos.com; h*tp://uevp1p.com; h*tp://daveincybersce.com; h*tp://daveincybersbe.com; h*tp://tucbv4.com; h*tp://gigorolene.com; h*tp://tepvmm9.com;
These domains have all been set up in March 2016 though the hosting company Launchpad/Hostagor. 4 domains were set up anonymously and the remaining 3 were registered under the names of individuals based in the UK, potentially as a result of stolen identity.
3
h*tp://neilsonestate.com.au; h*tp://tigersharkpress.com.au; h*tp://www.nigelthompson.net; h*tp://www.sagesportstherapy.com.au; h*tp://www.risingstar.com.au; h*tp://www.pplumbing.com.au; h*tp://www.juggernautpt.com; h*tp://www.songyudesign.com.au; h*tp://www.skafidas.com.au; h*tp://www.mattys.com.au; h*tp://allureproductions.com.au; h*tp://www.mechcaddesign.com.au; h*tp://www.nedtek.com.au; h*tp://www.therockinghorsestable.com.au; h*tp://www.auntyartstudios.com.au; h*tp://www.sanettsdancersize.com; h*tp://www.taylormademarine.net.au
These domains (17 in total) belong to legitimate Australian businesses. They are all hosted on the same web server within IP range '116.0.16.0 - 116.0.23.255'. All but two domains are hosted by Enetica.
4 h*tp://polypiferous.com; h*tp://misarrangement.com; h*tp://www.mattarnold.com; h*tp://allcdcard.com; h*tp://ksp.magnitogorsk.org
No commonalities found.
PROTECT - INTELLIGENCE
10
2.2. Email Addresses of Phishing Scammers – Top 15
The table below represents the Top 15 most prevalent email addresses used to send out phishing emails to different members of the public. Email spoofing
to impersonate well known companies continued to be the method of choice in phishing campaigns being in circulation in March 2016. It has been an
ongoing trend that email addresses of such companies as PayPal, Amazon and eBay occur to be most prone to forgery.
Email address Number of emails reported
Phishing campaign theme
1 *[email protected]* 70 Supermarket gift cards scam
50 Argos gift card, Vanquis credit card, PPI and other scams
3 *[email protected]* 47 Amazon account scam
4 *[email protected]* 40 PayPal account scam
5 *[email protected]* 37 Share in national lottery win (You have been chosen)
6 *[email protected]* 33 PayPal account scam
7 *[email protected]* 30 Tesco Bank scam
8 *[email protected]* 25 Tesco Bank scam
9 *[email protected]* 24 National Lottery scam
10 *[email protected]* 24 Nationwide account scam
11 *[email protected]* 23 National lottery win scam
12 *[email protected]* 21 Sky upgrade, credit card application and other scams
13 *[email protected]*, *[email protected]*,*[email protected]* 20 Bulk email service scam
14 *[email protected]* 19 Tesco Bank scam
15 *[email protected]* 18 Tesco Bank scam
PROTECT - INTELLIGENCE
11
2.3. Malicious URLs Contained in Phishing Emails – Top 15
The below table represents the Top 15 most prevalent URLs which appeared, in exactly the same form, in the phishing emails forwarded to the NFIB
phishing inbox by different members of the public during March 2016. Nine URLs were identified as malicious vectors in phishing scams purporting to be
from banks, with NatWest being the top hook.
Malicious URLs Number of emails reported
Phishing campaign theme
1 h*tp://kazamobile.com.br/focus/index.php 20 NatWest suspicious activity scam
2 h*tp://www.gilgalprayerhouse.com/gil.htm 19 Nationwide suspended account scam
3 h*tp://sterdzwig.com/immgggg/ 15 Tesco Bank account verification scam
4 h*tp://somalicable.tv/imgg/ 13 NatWest payment confirmation scam
5 h*tp://www.ciclismo.com.au/img/glyph/customer-news.virginmedia.com/customer-news.virginmedia.com/update/vm/index.php
12 Virgin Media account update scam
6 h*tp://www.hairbodysoul.ca/libraries/phpxmlrpc/compat/customer-news.virginmedia.com/customer-news.virginmedia.com/update/vm/index.php
12 Virgin Media account update scam
7 h*tp://pousadasolardeloronha.com.br/work/index.php 12 NatWest suspended account scam
8 h*tps://europaconservatories.co.uk/fuerdiaossis/ 12 iTunes invoice scam
9 h*tp://toxicwingsli.com/lo.htm 10 NatWest blocked account scam
10 h*tp://petalswithpizzazz.com/wp-content/uploads/css/ 9 iTunes invoice scam
11 h*tp://petremdistribuciosa.com/cache/nihrt/par/secure.php 9 Santander ClickSafe extra protection scam
12 h*tp://talktalkwebmail.net 9 TalkTalk account maintenance scam
13 h*tp://www.caeop.org/libraries/phpxmlrpc/compat/customer-news.virginmedia.com/customer-news.virginmedia.com/update/vm/index.php
8 Virgin Media account update scam
14 h*tp://banjarmasinkota.go.id/camattimur/index.php 7 NatWest suspended account scam
15 h*tp://www.ontimepublications.com.au/xkek972gy/secure.php 7 Tesco Bank suspended account scam
PROTECT - INTELLIGENCE
12
2.4. Potential Spam and Phishing Domains - Top 10
The below list represents the Top 10 domains whose URLs in various forms appeared in the emails reported to the NFIB phishing inbox in March 2016.
Some of the domains are most likely to be exploited for sending out spam either for advertising purposes or to install malware on victim’s machine, whilst
the other domains may host phishing content to obtain sensitive information from the recipient or, again, to serve as a malware vector.
Potentially malicious domains
Number of emails reported
Phishing campaign theme
1 cuestasys.com 44 Hidden discounts with various retailers spam
2 kettlebellnow.com 39 Free supermarket gift cards scam
3 6url.ru 36 Online medication sale, extra income and other scams
4 calmsgood.com 36 Free supermarket gift cards scam
5 ww690.smartadserver.com 34 Free supermarket gift cards scam
6 ds.yoldr.com 25 Free supermarket gift cards, confirm your Easyjet flight and other scams
7 t.ymlp89.net 22 Free supermarket gift cards scam
8 t.ymlp24.net 21 Free supermarket gift cards scam, injury claims, life insurance and other scams
9 eapp.welotec.com 20 Free supermarket gift cards scam
10 t.ymlp23.net 18 Uniform tax rebate, free supermarket gift cards and other scams
PROTECT - INTELLIGENCE
13
Notes & Guidance
This report may be circulated in accordance with the protective security marking shown below and caveats included within the report. The information contained in this
report is supplied by the City of London Police in confidence and may not be shared other than with the agreed readership/handling code without prior reference to the
City of London Police. Onward disclosure without prior authority may be unlawful, for example, under the Data Protection Act 1998.
The cover sheets must not be detached from the report to which they refer.
Protective Marking: PROTECT
FOIA Exemption: No
Suitable for Publication Scheme: No
Version: Cyber Crime Phishing_V1.0
Storage File Location: G:\OPERATIONAL\Fraud_Intel\CYBER_PROTECT_TEAM\Phishing_Analysis
Purpose: To inform strategy
Owner: ECD
Author: Intelligence Researcher-103804
Review By: Senior Analyst - 100411
Practical Guidance for PROTECT documents This document is classified PROTECT. In government and law enforcement this determines the security measures that are required to protect it. This means:
Only permit members of your staff who have a genuine ‘Need to Know’ to see the contents of the document;
Do not copy the document or any of its pages without written approval of the City of London Police Head of Research and Analysis;
Do not pass on the document, or disclose any information contained in it, to any third party (outside of your business) without written approval of the City of London Police Head of Research and Analysis;
Do not read or work on this document in public areas;
Lock the document in a secure cabinet when it is not being used;
Only dispose of this product by shredding, pulping or incineration.