Contributor: Mayur Deshpande
Phishing emails masquerading as banking communications are observed in huge quantities every single day. Spammers will often exploit global news and major world events to carry out phishing attacks. Phishing emails often use international and regional news to disguise their phishing content and force the recipients to give up sensitive personal data.
Recently, Canada enacted an anti-spam law which mandates that all companies obtain explicit consent from customers for email correspondence. Spammers exploited this news to send phishing emails pretending to request consent for emails. This phishing attempt shown below goes a step further and fabricates fake news about a similar law in the United States.
Figure. Phishing sample quoting fake law
The relevant content from the phishing email mentioning a fake US anti-spam law is below:
Effective July 20, 2014, United State's new anti-spam law comes into effect and [BANK NAME] wants to ensure that your representative will be able to continue sending you emails and other electronic messages without any interruptions. In addition to messages from your representative, we may also send you other electronic messages, including but not limited to newsletters and surveys as well as information, offers, and promotions regarding our products and services or those of others that we believe you might be interested in ("Electronic Messages").
By clicking "I Agree", you are providing your express consent to receiving Electronic Messages from each member of the [BANK NAME] identified below (you can withdraw your consent at any time). As well, you are confirming that you are the sole user of the email account to which we sent this email.
The email urges the recipient to click on a hyperlink in the body to agree to the changes and to continue receiving email correspondence from the bank. The link redirects to a fake website which demands logon credentials and other personal information for further processing. Any information entered on the webpage can be used to compromise the user’s bank account.
Various features in the email can alert recipients that the email is not legitimate:
- The domain in the from header is not the banking domain or even related to banking
- The link given in the body is a URL shortening service domain (bit.ly)
- The fake news about a new anti-spam law in US
Phishing continues to be the biggest email threat and all users should be alert to possible phishing attempts. Symantec has created filters for these attacks and advises users to keep anti-spam products updated frequently to get the best protection against such threats.