Phishing Scheme Uses Legit Signup Forms to Steal Payment Card Data

Baiting Scheme

Legitimately looking organization newsletter subscription forms to scam unwary victims from making payment transactions leading to hackers’ personal bank account.

Phishing Technique

Drawn companies such as Audi, Austrian Airlines, and S-Bahn Berlin to Russian users. Here’s how it is pulled off:

1. Email catch line saying “Money for you” either written in English or German obviously profiling specific group of users.
2. Embedded emails comprises of malicious code passes users to rooted dating website.
3. Users will have to lead to several redirect page before resting to the actual Phishing site.
4. Participated victims have been chosen for the promo with a catch phrase of “The luck e-mail” is shown on the phished page.
5. Pot money reaching to 3000 euro will surely would ring a bell, so users will have to immediately fill up a survey form.
6. As soon as victims completed the survey form, the phishing page will show details about the promo, prize money, and withdrawal conditions which includes a condition that states that the winner must pay a commission for exchanging EUR to RUB.
7. Finally, victims are encourage to do the payment via credit card which lead them to the fraudulent payment section of the webpage.

 

Never runs out of idea

Like any other phishing scheme, threat actors are after the victim’s various confidential information, downloading attachments containing malware, or clicking links redirecting to malware-laden attachments which then be used to more malign motives. The most ingenious way, however, is how the hackers use “official” newsletter signup page adding links to their phishing websites.

 

Preventive Measures

There is no proven system that could safeguard organization from phishing scam however, effective email spam filter would it be whitelisting rule or SPF and DKIM for fundamental components of email authentication thus help protect email senders and recipients from spam, spoofing, and phishing and accompany with good employee education on how to deal with suspecting emails would lessen the trouble atleast on the part of the IT personnel. It is also accepted that threat of this type will flourish and infiltrate our system and devices thru all sorts of vectors so organization and users should ensure that safe keep information cannot leave and fall into the wrong hands.