A new SMS phishing (sometimes called “smishing”) campaign has been targeting UK residents. The HM Revenue and Customs (HMRC) tax rebate scams have been tricking many people into giving away personal information to attackers such as names, addresses, passport numbers, etc. The attack begins with an SMS message that either tells the user that they have a tax rebate they are eligible for, or that they own tax money. Once the user clicks the link included in the message, they are taken to a webpage targets online banking customers based on a sort code. By using the sort code, the attackers can identify which bank the victim uses. From there, a phishing page for that page is displayed where the user would enter their username, password, memorable words, 2-Factor Authentication, etc. This campaign uses an extensive workflow, making the user go through many pages and supply a lot of information. The phishing web pages that are used are designed to mirror that of the legitimate ones. Many different sites have been used, with new ones being added daily as old ones start to become marked as spam.
Analyst Notes
The main goal of this attack is to steal information from the victims. This attack is more sophisticated than other information-stealing attacks. This multi-step attack allows the attackers to get personal and banking details about the victim, which could lead to fraud. Clicking on links that are sent through text messages should be avoided at all times—not only could the web page be a fraud, but some content could deliver an exploit that can take over control of Android or iPhone devices. If someone wants to visit the link that was sent to them, they should open a browser and search for the address themselves. Using 2-Factor Authentication is a great first step in preventing unauthorized people from accessing accounts. It is good practice not to set up 2-Factor Authentication with SMS because it is easier for attackers to intercept those messages or temporarily take over a phone number with a SIM-swapping attack by fooling the cellular service provider into thinking the attacker is their customer. 2-Factor Authentication should always be set up using a trusted third-party application that randomly generates a code. Binary Defense’s Counterintelligence team monitors on the behalf of companies for any domains that have become registered that are being used to trick people into thinking that are the legitimate company website. A service like this can help companies identify these typo-squatted domains and get them taken down before they can cause harm.
More can be read here: https://www.bleepingcomputer.com/news/security/hmrc-smishing-tax-scam-targets-uk-banking-customers/
