In April, TSB (a retail and commercial bank in the UK) announced they would shutdown some systems for an IT upgrade.
Systems such as online banking, payments, and transfers would be unavailable between 4:00 p.m. April 20, and 6:00 p.m. April 22. However, the upgrade was a disaster, and over a month later customers are still having problems.
These problems would only get worse once criminals started circling, and it wasn’t long before phishing emails and text messages started to focus on the event.
Action Fraud, the UK’s national fraud and cybercrime reporting center, says that TSB related phishing has spiked from 30 in April, to 321 in May (that’s 970% if you’re keeping count), but those are only the reports that have officially been called into police.
Today on Salted Hash, we’re going to look at these TSB phishing attacks from both the criminal’s perspective and the victim’s. We’re also going to examine some things that administrators can do to detect these kits as they go live on their servers.
Email and Text Messages:
The TSB attacks start via email or text message. In the email, we see at notice that the issues surrounding TSB have been resolved – or at least that’s what the criminal wants the victim to think.
For anyone who has had problems with TSB, this message would be welcome news, so they might overlook the fact that the message itself isn’t personalized like normal bank communications. Instead, it’s addressed to ‘recipients’ and uses a generic greeting.
The phishing (sometimes known as smishing or SMS phishing) via text message is more direct. Those messages state your TSB account has been suspended and instruct you to visit a URL to correct the issues. However, the URL is clearly not a TSB domain.
In both cases the criminal is playing off the TSB hype, and hoping that you – the victim – will not pay attention to the little details. This logic is crystal clear when you see the actual website the criminals have constructed.
Phishing domains using HTTPS:
The domain has a valid SSL certificate (it has HTTPS), and the design of the website is nearly identical to the real TSB login page. The only difference – and this is a big difference – is that the URL itself isn’t legitimate. As shown in the video, that’s not the TSB website, no matter how pretty it looks.
But we’ve been trained to look for HTTPS, especially when it comes to banking, so if the website feels legitimate and the HTTPS is there, some people will feel secure and enter their details. That’s a problem, because of the web address (URL) isn’t legitimate, then HTTPS or no, the website is a sham.
Remember, if the address isn’t what you’re expecting, it’s a fraud. HTTPS alone isn’t enough to prove legitimacy, but since HTTPS is becoming the norm, criminals are shy about using it. In this case, the criminal registered a domain and then registered a certificate to match.
Also, take your time.
Situations like what’s going on at TSB are a huge draw for criminals, because there is chaos and confusion, running alongside a highly-charged emotional setting. Rightfully so, customers are angry, and thus are likely to click links or answer questions without a clear understanding of context.