The following are some of the phishing campaigns that have been doing the rounds recently:.
Email Spoofing
Several spoofed email domains have been targeted by phishing campaigns to trick users into accessing and logging into external websites in order to steal their credentials. The emails were received from an unrecognised sender and pretend to be the internal postmaster for the domains.
In the two screenshots below of the faked postmaster emails, it can be seen how the campaign builders utilise customised fields to fool users into thinking the emails originate from a mailbox admin (postmaster).
The custom fields used were as follows:
- The email is addressed to the name of the mailbox or user being targeted
- The contained links are disguised as the internal domain name (domain.co.za) but all link to external web resources requesting logon credentials.
A simple assessment of the origin (sender) of the email shows that these do not originate from inside the organisation’s mail server. These are safe to ignore and the best practice would be to block the sender in every instance.
OneDrive Clone (Forgery)
This is another example of a phishing website cleverly disguised as a Onedrive login page. When comparing the original login page with the fake, the differences are as clear as day. This link was circulated via email claiming to be a shared document/invoice.
A quick comparison between the two websites make it easy to identify the fake. However, simply looking at the fake website on its own, it would be easy to understand how some people may fall for this forgery.
Comparisons:
-
-
- URL is not the same as OneDrive
- URL bar also identifies the site as suspicious
- One drive (original) only allows login with a Microsoft account.
- No options to create an account
-
Pro tip: Files shared from OneDrive, DropBox and the like do not usually require a login if shared via a link as the default security setting for most cloud sharing platforms allow anyone with the file link (URLl) to read, but not edit the file.
Fake OneDrive login page
Real OneDrive login page
419 Scams
Advanced-fee scams, or as they are better known, 419 scams, are nothing new. These scams involve advising someone that they’ve won or inherited a large sum of money and that they’d either need to make a small payment to receive the bulk of the funds or provide their banking details for a transfer.
One needs to consider all these emails as fake. They are 100% scams and will never pay out the sum promised. The intention is to get funds from the victim and in some cases, continue extorting them for more funds in the future.
Points that confirm it to be a scam:
- ‘Dear email owner’ – any email or document pertaining to funds received usually addresses the exact person. As it is specified here, it does not address any one person directly.
- Contact person – the contact here in this example has provided email addresses. These do not utilise the email domain for the organisation being represented, instead pointing to an external entity.
- The images in the document (background, logo, official stamp, and signature) are poorly cloned and even in the case of the background is missing sections. This is likely due to constant reuse by different parties, each clearing the text and adding their own.
