logo

Top

RedMarlin Research Labs Blog

RedMarlin / RedMarlin Research Labs Blog (Page 3)

If you use email, chances are you are aware on how to spot phishing emails. It turns out that is not enough to be safe from phishing online, with bad actors increasingly getting creative with their techniques to steal sensitive user data.

We spotted a very recent Twitter account that got active barely 16 hours prior to the time of this post. It infringes on Natwest bank’s brand and has been tweeting replies to unsuspecting users with links to fake Natwest bank websites. Here is a screenshot of recent most activity from the account.

Image 1. Fake Natwest customer supper twitter handle tweeting phishing links

The way this phish works is the scammer replies to a tweet sent from a user to the real customer support handle. In this case, the real handle for Natwest customer support is Natwest_Help. If the user falls for the fake customer support’s tweet as seen above, they will end up entering credentials on the phishing website.

We went further to check the phishing links above and they indeed are fake Natwest webpages with forms for stealing user credentials. The website goes step-by-step asking for user information. On one page it asks for specific characters from password (e.g. 2nd, 3rd and 8th), presumably trying to mimic the real Natwest UI, but then in the next page it asks for full password and pin. The forms in these “verification” pages are quite elaborate asking for information ranging from customer number, password, pin, user address and credit card info.

Screenshot (19)Image 2. Example of one of the “verification” steps

Once a user goes through the process and hits submit, the website sends the user information to the scammers and then redirects the user to https://personal.natwest.com – the legitimate version of Natwest’s online website. The redirection happens through Google’s URL redirection which is another popular technique among scammers to redirect users to bad websites. In this case however, it is merely being used for redirecting users to the bank’s website, so the user doesn’t suspect the malicious activity.

Screenshot (20)Image 3. Redirection to natwest.com through google.ru

Phishing on Twitter looks extremely genuine because the communication is user initiated and the reply looks just like the reply you’d expect from the customer support handle. Therefore, it becomes even more difficult for unsuspecting users to spot fake handles and links.

In this case, we reported the account to Twitter Support but at the time of the post, the handle was still alive. Thankfully, the phish sites (see below) were down.

 

IOCs:

http://www[.]natwest-tech[.]16mb.com/home/Login.php?sslchannel=true&sessionid=pIMb1QyjoDUaMWEUXhJDt3J16OeufWDFEqQGgpZF3UQPQuKNLurexbfEZu8erMT5cKMs9L7cFX2vsMjd
http://nwolb[.]axfree[.]com/natwestprotection/home

 


 

Quick shoutout to Techhelplistcom for bringing attention to the fake Twitter handle.

Spare a moment and send us a note using Twitter or reply on this post. We’re happy to talk!

 

 

As the U.S. tax filing season for 2017 approaches, we are seeing an expected rise in phishing attempts, largely trying to steal sensitive information like SSNs, IDs, bank accounts etc. This problem is only expected to grow as the tax filing deadline of April 18 gets closer.

The Internal Revenue Service (IRS) recently issued an advisory  for tax professionals and tax payers to be wary of emails and links when the source is unknown or looks suspicious.

It is also interesting to see how scammers evolve quickly with new tricks every tax season. For example, the tweet below from IRS refers to a scam where bad guys send emails to tax professionals claiming that the direct deposit information for tax recipient has changed last minute, in an obvious attempt to redirect funds to scammers’ accounts.

On the web side, we have observed several variants of phishing websites that infringe on the IRS logo and other artifacts to trick users into entering sensitive personal information. Couple of examples below:

x

 Sample 1: Phishing website trying to steal credit card and home loan account numbers.

 

y

Sample 2: Phishing website trying to steal tax identification numbers and other sensitive information.

Phishing remains part of what IRS calls the “Dirty Dozen” list of tax scams in 2017. IRS also reported an increase in phishing and malware scams by 400 percent in 2016 and the trend doesn’t seem to be slowing down this year.

Our advise for taxpayers and tax professionals is to be aware of IRS’s alerts on latest tax scams and in general form a habit of verifying sources of suspicious looking emails and links. Remember that IRS never asks for sensitive information from users via email and if you think you received a phishing email, please forward them to phishing@irs.gov.

 


At RedMarlin, we monitor the web to look for latest online threats like phishing and other scams that infringe on reputation of popular brands to conduct malicious online activities on unsuspecting users. We share intelligence with brands and other security providers in our pursuit to keep the web safe. Leave a comment on this blog post or send us a tweet. We’re happy to talk!