PROTECT - INTELLIGENCE

1

Phishing March 2016

PROTECT - INTELLIGENCE

2

Introduction: The purpose of this document is to provide an analysis of the most prevalent trends and characteristics of phishing campaigns in the UK in March 2016. The

analysis is based on the information reported to Action Fraud via the Attempted Scams or Viruses (ASOV) Reporting Tool as well as on the data obtained

from the NFIB phishing inbox which consist of phishing emails reported by members of the public.

Phishing is the attempt to acquire sensitive information (e.g. usernames, passwords and credit card details) or steal money by masquerading as a

trustworthy entity in an electronic communication such as email, pop-up message, phone call or text message. Cybercriminals often use social engineering

techniques to trick the recipient into handing over their personal information, transfer money or even download malicious software onto their device.

Although some phishing scams can be poorly designed and are clearly fake, more determined criminals employ various techniques to make them appear as

genuine. These techniques can include:

Identifying the most effective phishing ‘hooks’ to use in the message to get the highest click-through rate.

Including genuine logos and other identifying information of legitimate organisations in the message.

Providing a mixture of legitimate and malicious hyperlinks to websites in the message – e.g. including authentic links to privacy policy and terms of

service information of genuine organisation. These authentic links are mixed in with links to a fake phishing website in order to make the spoof site

appear more realistic.

Spoofing the URL links of genuine websites – The most common tricks are the use of sub-domains and misspelled URLs as well as hiding malicious

URLs under what appears to be a link to genuine website which can be easily revealed upon hovering the mouse over it. More sophisticated

techniques relay on homograph spoofing which allows for URLs created using different logical characters to read exactly like a trusted domain.

Some phishing scams use JavaScript to place a picture of a legitimate URL over a browser’s address bar. The URL revealed by hovering over an

embedded link can also be changed by using JavaScript.1

WARNING: THIS DOCUMENT MAY CONTAIN LINKS TO MALICIOUS WEBSITES OR EMAIL ADDRESSES, DO NOT CLICK ON

ANY HYPERLINKS CONTAINED IN THIS DOCUMENT.

1 http://searchsecurity.techtarget.com/definition/phishing

PROTECT - INTELLIGENCE

3

1. Action Fraud: Attempted Scams or Viruses (ASOV) Reporting Tool

The ASOV reporting tool, which is operated by Action Fraud, allows members of the public to report instances of phishing where someone has been

approached with a scam message (via email/text/or phone) but has not suffered a financial loss as a result of it and has not exposed their personal details

to a scammer. The analysis in this section is based on data received by Action Fraud in the month of February 2016.

1.1 Volume of Phishing Reports Received

During the month of March 2016 there were a total of 9840 phishing reports made to Action Fraud via the ASOV reporting tool. This is on average 317

reports made per day – a 24% increase compared to March 2015 and a 32% decrease as compared to February 2016, when the reporting level was

exceptionally high.

276

232

255 299

270

205

181

382

210

315

270

468

317

0

100

200

300

400

500

Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16

Average Number of Phishing Reports Received per Day: March 2015 - March 2016

PROTECT - INTELLIGENCE

4

1.2 Communication Channels for Phishing

The analysis of phishing reports received during March 2016 identified that, similarly to previous months, the most common communication channel used

for distribution of phishing scams was via email (73.5%) followed by landline phone calls (13%) and text message (6.4%).

Email 73.5%

Landline Phone

Call 13%

Text Message

6.4%

Contact Channels for Phishing: March 2016

Email 73.5%

Landline Phone Call 13.0%

Text Message 6.4%

Mobie Phone Call 2.1%

Other 2.1%

Post 1.4%

Social Media 1.0%

Popup Message 0.5%

Instant Messaging 0.2%

PROTECT - INTELLIGENCE

5

1.3 Phishing ‘Hooks’ Phishing ‘hook’ is a social engineering method which is used to masquerade as a trustworthy entity in communication in order to trick the potential victim

to follow an instruction or request contained in the message for malicious reasons. Throughout March 2016, the most prevalent phishing ‘hooks’ identified

in the reported data continued to be within ‘Other hooks’ category, followed by ‘hooks’ which referred to HM Revenue and Customs (HMRC) and retail

banks. The phishing hooks impersonating banks most commonly referred to NatWest, Tesco Bank and Lloyds TSB.

3470

2447

1319

556 538 426 340 272 151 88 77 60 36 27 23 6 4 0

1000

2000

3000

4000

Other HMRC Bank IT Company Paypal Government Agency

Lottery Mobile Job Offers Amazon Ebay Medical Social Media Facebook Charity DWP Student Loan

Company

Phishing Hooks: March 2016

132 113

97 92

51 49 39

21 13 2 2 2 1

0

40

80

120

160

NatWest Tesco Bank Lloyds TSB Santander Barclays HSBC Nationwide Halifax Royal Bank of Scotland

Bank of Scotland Capital 1 Citi First Active England

Scotland Wales

Banking 'hooks': March 2016

PROTECT - INTELLIGENCE

6

The analysis of the ‘Other phishing hooks’ shows that, as in the previous months, the most reported hook in this category was TalkTalk, followed by

Apple/iTunes and BT.2

2 It should be noted that the level of analysis of the ‘Other phishing hooks’ is limited due to the presence of free text fields in relation this category within the ASOV reporting tool. Although

the best possible effort has been made to calculate and identify the trends in this category, the figures presented below may be understated.

208

122 118 92

49 31 30 28 21 21

0

100

200

300

Talk Talk Apple / iTunes BT Telephone Preference

Service

Virgin Media Gumtree Argos DHL DVSA Google

Top 10 Other Phishing Hooks: March 2016

PROTECT - INTELLIGENCE

7

1.4 Type of Phishing Request Similarly to the previous months, nearly one third of all phishing scams reported to Action Fraud via the ASOV tool during March 2016 contained a

potentially malicious hyperlink which upon clicking could install malware onto the victim’s computer or trick them into providing sensitive information. The

second most common type of request was to provide personal information details (15.5%), followed by a request to reply to a scam message (15.1%) and a

request to provide banking credentials (11.8%).

Weblink 30.8%

Personal Information

15.5%

Reply 15.1%

Banking Details 11.8%

9.0%

8.7%

6.7% 2.4%

Type of Phishing Request: March 2016

Click weblink 30.8%

Provide personal information 15.5%

Reply to the message 15.1%

Provide banking details 11.8%

Transfer money 9.0%

Other 8.7%

Open attachment 6.7%

Make contact 2.4%

PROTECT - INTELLIGENCE

8

2. NFIB Phishing Inbox

Once the reporting person submits their online ASOV form to Action Fraud, they are directed to forward the phishing email to a dedicated phishing inbox of

HMRC, DWP, all major banks, PayPal, eBay, Amazon, Facebook or Student Loans Company if the scam message purports to be originating from one of these

organisations, or to the NFIB phishing inbox in all other cases. The findings presented below are based on the analysis of over 22,000 phishing emails

reported to the NFIB phishing inbox during the period of 1st to 31st March 2016.

2.1.1. Subject Headings of Phishing Campaigns – Top 15

The below table represents the Top 15 most prevalent subject headings which appeared, in exactly the same form, in the phishing emails forwarded to the

NFIB phishing inbox by members of the public during March 2016. The analysis show that the methods of social engineering applied in the subject line of a

bogus email can vary from incentive/free gift offering to a more manipulative statement such as ‘Order Receipt’ or ‘Tax Return Notification.

Message title Number of

emails reported

1 Order Receipt No. (Apple/iTunes) 87

2 HMRC Refund Confirmation 77

3 We need your confirmation for this ALDI surprise treat 71

4 You forgot to print your voucher 66

5 Your Argos card is ready 59

6 We have a GIFT at Argos for you 58

7 We have an early Easter treat for you at ALDI 56

8 2 hours left to confirm your gift surprise. You will love it 52

9 Print your voucher 44

10 Select your Argos gift card now before it expires 42

11 Tax Return Notification 40

12 Your account has been closed 38

13 After serious thoughts, my decision 37

14 You Have Been Chosen... 37

15 AOL Team 36

PROTECT - INTELLIGENCE

9

2.1.2. Indicators of Compromise - ‘Order Receipt No.’ Phishing Campaign

In March 2016, the most commonly reported phishing campaign was a notification purporting to be from Apple, which informed about a recent Netflix

monthly subscription or movie download purchased via somebody’s iTunes account. The analysis of the URL links contained in 87 emails reported to NFIB

phishing inbox indicate that a combination of legitimate as well as malicious domains were used to perpetrate this scam. 17 legitimate websites belonging

to businesses in Australia were found to be botnets hosting the phishing content, potentially as a result of a compromise against one web-hosting server

operating within IP range 116.0.16.0 - 116.0.23.255. One domain belonging to the UK business was also found to be acting as a host for this phishing

campaign. A further seven domains which were registered in March 2016 were identified as being set up purely for malicious reasons.

Domain name Observables

1 h*tp://europaconservatories.co.uk This domain belongs to legitimate UK business.

2 h*tp://gusfrabos.com; h*tp://uevp1p.com; h*tp://daveincybersce.com; h*tp://daveincybersbe.com; h*tp://tucbv4.com; h*tp://gigorolene.com; h*tp://tepvmm9.com;

These domains have all been set up in March 2016 though the hosting company Launchpad/Hostagor. 4 domains were set up anonymously and the remaining 3 were registered under the names of individuals based in the UK, potentially as a result of stolen identity.

3

h*tp://neilsonestate.com.au; h*tp://tigersharkpress.com.au; h*tp://www.nigelthompson.net; h*tp://www.sagesportstherapy.com.au; h*tp://www.risingstar.com.au; h*tp://www.pplumbing.com.au; h*tp://www.juggernautpt.com; h*tp://www.songyudesign.com.au; h*tp://www.skafidas.com.au; h*tp://www.mattys.com.au; h*tp://allureproductions.com.au; h*tp://www.mechcaddesign.com.au; h*tp://www.nedtek.com.au; h*tp://www.therockinghorsestable.com.au; h*tp://www.auntyartstudios.com.au; h*tp://www.sanettsdancersize.com; h*tp://www.taylormademarine.net.au

These domains (17 in total) belong to legitimate Australian businesses. They are all hosted on the same web server within IP range '116.0.16.0 - 116.0.23.255'. All but two domains are hosted by Enetica.

4 h*tp://polypiferous.com; h*tp://misarrangement.com; h*tp://www.mattarnold.com; h*tp://allcdcard.com; h*tp://ksp.magnitogorsk.org

No commonalities found.

PROTECT - INTELLIGENCE

10

2.2. Email Addresses of Phishing Scammers – Top 15

The table below represents the Top 15 most prevalent email addresses used to send out phishing emails to different members of the public. Email spoofing

to impersonate well known companies continued to be the method of choice in phishing campaigns being in circulation in March 2016. It has been an

ongoing trend that email addresses of such companies as PayPal, Amazon and eBay occur to be most prone to forgery.

Email address Number of emails reported

Phishing campaign theme

1 *pbsupdates@act.pbs.org* 70 Supermarket gift cards scam

2 *info@flushingbank.com*

50 Argos gift card, Vanquis credit card, PPI and other scams

3 *account-update@amzon.co.uk* 47 Amazon account scam

4 *service@intl.paypal.com* 40 PayPal account scam

5 *claims@axion.ca* 37 Share in national lottery win (You have been chosen)

6 *service@paypal.co.uk* 33 PayPal account scam

7 *tescobank@eml.co.uk* 30 Tesco Bank scam

8 *tescobank@tescobank.com* 25 Tesco Bank scam

9 *claims@yale.edu* 24 National Lottery scam

10 *info@ntn.com* 24 Nationwide account scam

11 *player@national-lottery.co.uk* 23 National lottery win scam

12 *ebay@ebay.co.uk* 21 Sky upgrade, credit card application and other scams

13 *bulkknett@gmail.com*, *bulknett@gmail.com*,*bulknett@yahoo.com* 20 Bulk email service scam

14 *admin.tesco@sellercore.com* 19 Tesco Bank scam

15 *onlineservicing.creditcards@tescobank.com* 18 Tesco Bank scam

PROTECT - INTELLIGENCE

11

2.3. Malicious URLs Contained in Phishing Emails – Top 15

The below table represents the Top 15 most prevalent URLs which appeared, in exactly the same form, in the phishing emails forwarded to the NFIB

phishing inbox by different members of the public during March 2016. Nine URLs were identified as malicious vectors in phishing scams purporting to be

from banks, with NatWest being the top hook.

Malicious URLs Number of emails reported

Phishing campaign theme

1 h*tp://kazamobile.com.br/focus/index.php 20 NatWest suspicious activity scam

2 h*tp://www.gilgalprayerhouse.com/gil.htm 19 Nationwide suspended account scam

3 h*tp://sterdzwig.com/immgggg/ 15 Tesco Bank account verification scam

4 h*tp://somalicable.tv/imgg/ 13 NatWest payment confirmation scam

5 h*tp://www.ciclismo.com.au/img/glyph/customer-news.virginmedia.com/customer-news.virginmedia.com/update/vm/index.php

12 Virgin Media account update scam

6 h*tp://www.hairbodysoul.ca/libraries/phpxmlrpc/compat/customer-news.virginmedia.com/customer-news.virginmedia.com/update/vm/index.php

12 Virgin Media account update scam

7 h*tp://pousadasolardeloronha.com.br/work/index.php 12 NatWest suspended account scam

8 h*tps://europaconservatories.co.uk/fuerdiaossis/ 12 iTunes invoice scam

9 h*tp://toxicwingsli.com/lo.htm 10 NatWest blocked account scam

10 h*tp://petalswithpizzazz.com/wp-content/uploads/css/ 9 iTunes invoice scam

11 h*tp://petremdistribuciosa.com/cache/nihrt/par/secure.php 9 Santander ClickSafe extra protection scam

12 h*tp://talktalkwebmail.net 9 TalkTalk account maintenance scam

13 h*tp://www.caeop.org/libraries/phpxmlrpc/compat/customer-news.virginmedia.com/customer-news.virginmedia.com/update/vm/index.php

8 Virgin Media account update scam

14 h*tp://banjarmasinkota.go.id/camattimur/index.php 7 NatWest suspended account scam

15 h*tp://www.ontimepublications.com.au/xkek972gy/secure.php 7 Tesco Bank suspended account scam

PROTECT - INTELLIGENCE

12

2.4. Potential Spam and Phishing Domains - Top 10

The below list represents the Top 10 domains whose URLs in various forms appeared in the emails reported to the NFIB phishing inbox in March 2016.

Some of the domains are most likely to be exploited for sending out spam either for advertising purposes or to install malware on victim’s machine, whilst

the other domains may host phishing content to obtain sensitive information from the recipient or, again, to serve as a malware vector.

Potentially malicious domains

Number of emails reported

Phishing campaign theme

1 cuestasys.com 44 Hidden discounts with various retailers spam

2 kettlebellnow.com 39 Free supermarket gift cards scam

3 6url.ru 36 Online medication sale, extra income and other scams

4 calmsgood.com 36 Free supermarket gift cards scam

5 ww690.smartadserver.com 34 Free supermarket gift cards scam

6 ds.yoldr.com 25 Free supermarket gift cards, confirm your Easyjet flight and other scams

7 t.ymlp89.net 22 Free supermarket gift cards scam

8 t.ymlp24.net 21 Free supermarket gift cards scam, injury claims, life insurance and other scams

9 eapp.welotec.com 20 Free supermarket gift cards scam

10 t.ymlp23.net 18 Uniform tax rebate, free supermarket gift cards and other scams

PROTECT - INTELLIGENCE

13

Notes & Guidance

This report may be circulated in accordance with the protective security marking shown below and caveats included within the report. The information contained in this

report is supplied by the City of London Police in confidence and may not be shared other than with the agreed readership/handling code without prior reference to the

City of London Police. Onward disclosure without prior authority may be unlawful, for example, under the Data Protection Act 1998.

The cover sheets must not be detached from the report to which they refer.

Protective Marking: PROTECT

FOIA Exemption: No

Suitable for Publication Scheme: No

Version: Cyber Crime Phishing_V1.0

Storage File Location: G:\OPERATIONAL\Fraud_Intel\CYBER_PROTECT_TEAM\Phishing_Analysis

Purpose: To inform strategy

Owner: ECD

Author: Intelligence Researcher-103804

Review By: Senior Analyst - 100411

Practical Guidance for PROTECT documents This document is classified PROTECT. In government and law enforcement this determines the security measures that are required to protect it. This means:

Only permit members of your staff who have a genuine ‘Need to Know’ to see the contents of the document;

Do not copy the document or any of its pages without written approval of the City of London Police Head of Research and Analysis;

Do not pass on the document, or disclose any information contained in it, to any third party (outside of your business) without written approval of the City of London Police Head of Research and Analysis;

Do not read or work on this document in public areas;

Lock the document in a secure cabinet when it is not being used;

Only dispose of this product by shredding, pulping or incineration.