Technology This mobile phishing scam targeted bank app users; thousands clicked through

20:15  14 february  2020
20:15  14 february  2020 Source:   zdnet.com

Phishing scam costs Texas school district $2.3M, FBI investigating

  Phishing scam costs Texas school district $2.3M, FBI investigating A school district in Manor, Texas, was caught in a phishing email scam that cost $2.3 million in losses within two months, officials said. © Austin American-Statesman via AP, FILE A photo shows the exterior of Manor Senior High School in Manor, west of Austin, Texas, March 1, 2018. Investigators with the Manor Police Department and the FBI are following "strong leads" to figure out how a massive amount of money was sucked out of the Manor Independent School District, according to a news release from Friday. The district services over 8,000 students from elementary to high school.

Mobile banking app users have been targeted by phishing scam messages which aim to trick them into giving up their login details.

a hand holding a knife: UK banks are the latest target of the Marcher malware. Image: iStock© ZDNet

UK banks are the latest target of the Marcher malware. Image: iStock

Almost 4,000 smartphone users have been fooled into clicking through to the links that are part of a mobile phishing campaign, with most in the US and Canada.

Uncovered by researchers at mobile cybersecurity company Lookout, the campaign is based around an SMS message which attempt to lure the victim into visiting fake websites purporting to be those of major US and Canadian banks.

There’s a new FedEx text message scam that you need to know about

  There’s a new FedEx text message scam that you need to know about The hard part about avoiding dangerous online and mobile scams is that scammers have become much more sophisticated in recent years. Whether it's a phishing email purporting to be from Apple or a call from someone claiming to be from the IRS, consumers need to remain as vigilant as ever when it comes to identifying seemingly legit messages designed to steal an individual's personal information and cold hard cash. The latest texting scam comes in the form of a text designed to look like a legitimate FedEx tracking notification.

The group behind this phishing attack left part of its infrastructure exposed, which is how Lookout was able to identify the nearly 4,000 unique IP addresses that visited the phishing websites. The company said there was no way of knowing if any had suffered financial losses.

The phishing messages claim that the bank's security system has detected unusual activity on the user's account and urges them to follow a URL to check: but it's a trick to lure them into giving up their details.

The criminals behind the attacks don't know which bank their potential victim is a customer of, but by spamming out enough messages with the names of different banks to enough users, some of the attacks will match the right bank with the right customer – and some of those will follow the malicious link to one of over 200 phoney websites.

Apple engineers propose a way to make using two-factor texts easier

  Apple engineers propose a way to make using two-factor texts easier If you've ever used online banking or any other highly-secure website, chances are you've encountered a one-time passcode (OTP) before. These are SMS messages sent to your phone with a unique code that verifies your identity with the website you're on. For a lot of users, inputting this code into the website involves tapping back and forth between the browser and the SMS client -- and in some cases even having to physically write down the code, because it's so long or complicated. Now, Apple engineers have put forward a proposal designed to make the whole process easier and more secure.The proposal has two main objectives.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Those malicious links lead to fake versions of banking websites, but ones which are designed to look like the mobile version of their authentic equivalent, featuring the correct fonts, layouts and sizing, as well as authentic links to related pages users would expect on a banking website – including notices about security and privacy.

Not only will the phishing page take the victim's username and password, but it'll also ask a series of additional 'security' questions, asking them to confirm their identity by entering a card's expiration date or double-checking the account number.

For the cyber criminals, this is to ensure they have all the information required to steal the victim's account details – either to make fraudulent transactions with the victim's money themselves, or potentially to sell the information on to others on underground forums.

Roseville cab driver protects 92-year-old woman from $25,000 scam

  Roseville cab driver protects 92-year-old woman from $25,000 scam A Roseville cab driver helped a 92-year-old woman not get scammed out of thousands of dollars, police said Tuesday. Raj Singh was called to take the woman from her home at the Sun City retirement community to the bank. require(["medianetNativeAdOnArticle"], function (medianetNativeAdOnArticle) { medianetNativeAdOnArticle.getMedianetNativeAds(true); }); Sign up for our Newsletters“While en route, he started talking with the woman who informed Raj that she owed the IRS $25,000 and she was headed to the bank to get the money and send it off to settle her debt,” Roseville police said in a Facebook post.

It's unknown where exactly this phishing campaign originated from, but researchers note that despite the success, the attacks are far from sophisticated.

"This particular campaign shows us how easy it is for a less computer-savvy person to get into the phishing business by buying an "off-the-shelf" phishing kit. The attacker can then target potential victims en masse via SMS messages and track the kit's success with the simple user interface," Apurva Kumar, staff security intelligence engineer at Lookout told ZDNet.

Lookout has notified all of the banks targeted by the campaign and as of today, the phishing sites are all down.

However, while this phishing campaign isn't active for now, others will emerge in an effort to steal bank details and personal information – but by using some simple security knowledge, users can avoid falling victim to attacks.

"When it comes to phishing, conventional wisdom is user awareness. Be wary of links on a mobile device that have been sent to you, whether by email or text message. Instead, develop the habit of proceeding to a login screen using a bookmarked link or the official website of a service they want to use," said Kumar.

Phishing scams are costing us more than ever. This trick is most likely to catch you out

  Phishing scams are costing us more than ever. This trick is most likely to catch you out Scammers are still getting big payouts from business email compromise attacks - but almost two thirds of attacks involve a much simpler scheme.Young asian entrepreneurs women hands holding credit card for online shopping at home,teenager owner business,success and online shopping concept.


'Apple support' phishing scams are getting really good

These hackers are using Android surveillance malware to target opponents of the Syrian government

New phishing email campaign impersonates US postal service to deliver malware

This latest phishing scam is spreading fake invoices loaded with malware

After Math: Stunning figures .
The news just wouldn't stop dropping this week. First, Parasite absolutely dominated the Oscars, everyone was convinced Bill Gates bought a hydrogen-powered mega-yacht for a hot second (surprise, he didn't), Israeli Prime Minister Benjamin Netanyahu's political party left the entirety of its voter rolls -- millions of records -- just swinging in the breeze, and the massive $26.5 billion T-mobile/Sprint merger finally got the court's blessing toI'm disappointed in you, Puerto Rico. Getting snookered for seven figures by a run-of-the-mill phishing scam is the sort of behavior I'd expect from Florida, but you should know better.

—   Share news in the SOC. Networks

Topical videos:

usr: 2
This is interesting!