Overview of selected scams - August 2024

 

We present the report on identified threats and the methods of operation by criminals for the month of August 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material.

The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", fake Facebook login panels, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.

FALSE INVESTMENT SCHEMESS

A well-known but still very popular fraud scenario is fake investments. This scam involves cybercriminals impersonating famous people or institutions to entice potential victims to invest money with promises of high returns, only to cause significant financial losses.

Additionally, in September 2024, CSIRT KNF analysts also reported 316 fake profiles that posted fake investment ads for blocking (fig. 1).

Figure 1 Fake investment ads distributed on the Facebook platform.

It also happens that another way to strengthen the psychological manipulation being conducted is by using the image of well-known institutions. In this case, CERT POLSKA and the Police. In August 2024, criminals created websites impersonating these organizations. They informed victims about a supposed opportunity for "safe earnings" (Fig. 2). These websites were distributed through advertisements on the Facebook platform.



Figure 2 Fake invest ads - similar CERT POLSKA and Police

Similar to previous months, the attackers also developed applications aimed at encouraging supposed investments. These applications do not infect devices. Their purpose is to lend credibility to the phishing scenario (Fig. 3).

 

Figure 3 Fake invest app

 

A recurring pattern is the second stage of the discussed scam. In this stage, the criminals post information about the possibility of recovering previously lost money. In reality, this is another attempt to deceive individuals who had already fallen for this scheme earlier (Fig. 4).

Figure 4 Fake invest scam - second stage

 

 

CRIMINALS CAMPAING IN POLAND

In this section of the report, we present the identified criminal campaigns that directly impersonated organizations within the Polish financial sector and other organizations. Their aim was to steal personal information and banking product data.

IMPERSONATING POLISH BANKS

Criminals exploit the image of well-known institutions to increase the credibility of phishing campaigns, which is why they regularly impersonate Polish banks. In doing so, they fraudulently obtain information such as payment card details, online banking credentials, and BLIK codes. In August 2024, the preferred methods for distributing fake websites impersonating banks were SMS and email messages.

SMS IMPERSONATION OF BANKS

Criminals impersonated BNP Paribas Bank, Santander Bank Polska, and Alior Bank by sending SMS messages. They falsely claimed that access to online banking was expiring or that urgent data updates were required. To avoid issues, recipients were encouraged to click on the link provided in the message. In reality, the link led to a phishing site that impersonated the mentioned banks, aiming to steal online banking login credentials. It's also worth noting the way certain words were written in the fraudulent message; criminals use such tactics to evade detection of their phishing campaigns and prevent them from being blocked before reaching potential victims.

 

Example SMS messages (fig. 5-6):

Figure 5 SMS Message - Bank impresonation 1/2

 

Figure 6 SMS Message - Bank impresonation 2/2

 

Phishing sites (rys. 7-8):

Figure 7 Phishing sites - impersonating Polish bank 1/2


Figure 8 Phishing sites - impersonating Polish bank 2/2

 

 

 EMAIL IMPERSONATION OF BANK

 

Criminals, impersonating BNP Paribas, sent emails claiming the need for a "system update to improve security." This was a lie. In reality, the link hidden under the "Authorize" button led to a phishing site that mimicked the BNP Paribas online banking login page. Through this method, the attackers aimed to steal online banking login credentials.

Example e-mail messages and phishing site (fig. 9):

Figure 9 Email message and phishing site - impersonating BNP Paribas

 

PUBLIC TRANSPORT IN BIAŁYSTOK - MPK CARD FOR 10 PLN

Cybercriminals, by posting ads on Facebook, falsely claimed the opportunity to purchase a city card granting unlimited rides within Białystok for only 10 PLN (Fig.10). In reality, the website linked in the ad was designed to phish for payment card details. Similar to the scenario described above, the criminals tried to withdraw funds from accounts using a "subscription model."

 

Figure 10 Fake Ad - city card for 10 PLN

 

If someone was tempted by the offer and clicked the link, they were directed to a page where they were asked to answer a few questions (Fig. 11).

Figure 11 Phishing site - city card for 10 PLN 1/2

 

Next, a form appeared requesting the entry of personal information and payment card details (Fig. 12).

 

Figure 12 Phishing site - city card for 10 PLN 2/2

 

 

DO YOU WANT THE PACKAGE? CLICK ON THE LINK!

Criminals impersonated courier companies, this time using the branding of InPost’s and DHL, claming that the delivery address needed to be completed. They encouraged clicking a link leading to a phishing site to steal payment card information.


Fake SMS messages and phishing sites (Fig. 9-10):

 

Figure 13 SMS messages and phishing sites - impersonating InPost

 

 

Figure 14 SMS messages and phishing sites - impersonating DHL

Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.



That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: TwitterLinkedIn and Facebook.