Abnormal Attack Stories #7: Coronavirus Credit Card Theft

March 23, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are impersonating a major financial institution offering financial relief, including creating a fully-fledged landing page, to attempt to steal credit card information from victims.

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: Between 20,000 and 50,000
  • Email Gateway: IronPort
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Brand Impersonation

What was the attack?

  • Setup: This attack leverages the economic uncertainty around COVID-19. As the economy has come to a standstill, the attackers realize that many will be seeking relief from their credit card bills, especially if they are one of the many workers whose hours have been reduced or who have been laid off.
  • Email Attack: The attacker created a very convincing email and landing page that appeared to come from a major financial institution. The email they created indicated that this financial institution was offering financial relief to their current credit card customers if those customers completed a form. They even sent the email from a convincing looking (but likely spoofed) domain name, [bank]relief.com.sg. The landing page they created appeared like a true bank landing page, though it was built on a domain (http://www.casadosexshop.com.br/) that was clearly not a bank domain.
  • Payload: The true URL that the attackers were pushing the recipients of this email to was concealed; all the recipients saw was “Start Here” and then the very convincing landing page once they clicked through. On the landing page, the attackers requested information about the recipient’s credit card that would allow them to use it: the recipient’s name, address, phone number, credit card number, expiration date, and the CVV code.
  • Result: This attack was an attempt at stealing user’s credit card information.

Why is this attack effective?

  • Urgency: Given the economic uncertainty around COVID-19 and the likelihood that recipients would be worried about their ability to pay their credit card bills should their hours be reduced or should they be laid off. In fact, the attackers in this particular attack targeted an employee who worked in a department that would be most likely to be impacted by the economic effects of widespread quarantines and lockdowns, making it more likely that they would interact with something offering them debt relief.
  • Convincing email and landing page: The email and landing page that the attacker created were convincing. The email appeared to be copied from a real email from this bank, with all other links removed so that users would only interact with the link intended to take them to the landing page which would steal their credentials. The landing page was similarly elaborate, appearing almost exactly like the true bank landing page. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credit card information.
  • Concealed URL: The URL where the landing page was ultimately hosted (http://www.casadosexshop.com.br/) was clearly not a site owned or run by this bank. However, the email concealed this URL, and the attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content