This phishing campaign targets executives with fake emails from their phone provider

Messages claiming to be from a phone network direct victims towards spoofed websites designed to steal login credentials and credit card information.
Written by Danny Palmer, Senior Writer

A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.

Uncovered by researchers at cybersecurity company Cofense, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.

The security company said the spoof mail had been sent to "a few executives, including one at a leading financial firm".

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

The messages come with the vague subject 'View Bill – Error – Message' and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.

Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there's also some elements of the phishing email that should act as a warning that all is not right.

While the 'from' display does include EE, the email address is not related to the company and domain the message has actually been sent from is registered in the Netherlands.

The malicious URL that the email asks victims to click is also long and very strange, featuring 'fly-guyz', which should indicate that something is wrong.

However, if the victim doesn't notice any of this and clicks the link, they're taken to a spoofed login page that looks very similar to the real thing – complete with a trusted HTTPS protocol and SSL certificate for the domain. However, the web address is all wrong.

First, the user is asked to enter their email address and password to 'login' to the spoofed website, providing cyber criminals with login credentials they could exploit for additional fraud. After entering these details, the victim is taken to another page, which this time asks them for all their bank details, including the full name, card number, the expiry data, the CVV number, their date of birth and the sort code – it's everything a criminal needs.

SEE: Cyber criminals are trying to exploit Zoom's popularity to promote their phishing scams

After entering their details on this page, the user is redirected to the real operator's page – an effort by the attackers to avoid suspicion by the victim.

The security company said the phishing page is still active, indicating that attempts at attacks are likely to be ongoing.

Unfortunately, spoofed domains aren't new but remain a successful means of attack, so users should be wary of any unexpected emails that claim to be from companies and which demand immediate attention – especially if that call to action involves clicking a link or downloading an unexplained attachment.

If people really aren't sure what to do, they should try to call the company the email claims to be from in order to determine if it's authentic or not.


Editorial standards