Overview of selected scams - May 2024
We present the report on identified threats and the methods of operation by criminals for the month of May 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material. The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", false invest, fake Facebook login panels, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.
IMPERSONATING POLISH BANKS
Criminals use the image of well-known institutions to increase the credibility of phishing campaigns, regularly impersonating Polish banks. They use this method to steal electronic banking authentication data, payment card information, and encourage the download of malicious applications. In May 2024, criminals continued to use this method, distributing phishing sites through social media ads and email messages.
FAKE FACEBOOK ADS AND EMAIL MESSAGES
Criminals impersonating Polish banks published ads on Facebook and sent email messages. Under the guise of a supposed opportunity to receive a prize and the need to confirm a phone number, they extracted electronic banking authentication data and payment card information.
Example Facebook Ads (Fig. 1-2):
Figure 1 Ads impersonating Polish Banks 1/2
Figure 2 Ad impersonating Polish Bank 2/2
Example of an email messages impersonating Alior Bank ( Fig. 3):
Figure 3 E-mail messages impersonating Polish Bank
Phishing sites (Fig. 4-6):
Figure 4 Phishing sites - impersonating ING
Figure 5 Phishing site - impersonating PKO
Figure 6 Phishing sites - impersonating Santander Bank Poland
FAKE APP PEOPAY CSHBACK
Criminals impersonating Bank Pekao published an ad on Facebook. Under the pretext of a potential refund for purchases, they encouraged users to click on a link that led to a phishing website. On this site, victims were prompted to install a fake app. Analysis showed that the malicious app was developed using PWA/WebAPK technology. Opening the app attempted to load a phishing website address in fullscreen mode. This campaign likely aimed to extract electronic banking authentication data.
Example Facebook Ads (Fig. 7):
Figure 7 Fake ad on the Facebook platform - impersonating Bank Pekao
Phishing site (fig. 8):
Figure 8 Phishing site - impersonating Bank Peako
"VACATION REWARD" - IMPERSONATING BLIK
Cybercriminals impersonating the BLIK company claimed there was a chance to receive a reward. They used Facebook ads to distribute phishing sites. In reality, they were phishing for BLIK codes.
Example Facebook Ads (Fig. 9):
Figure 9 Fake ads - impersonating BLIK
Phishing sites (Fig. 10):
Figure 10 Phishing sites - impersonating BLIK
KFC COUPONS - IMPERSONATING EMPLOYEE
Cybercriminals, impersonating a KFC employee, informed about a supposed opportunity to receive coupons. They used social media ads and a deepfake video for distributing a phishing site. In the video, a purportedly fired KFC employee reveals secret discount codes for purchasing food. The video can be viewed at: https://x.com/CSIRT_KNF/status/1792488904014086552 In reality, the attackers set up a fake payment intermediary page and imitations of online banking pages for Polish banks.
Phishing sites (Fig. 11):
Figure 11 Phishing sites - impersonating KFC
LOST PACKAGES AND SUITCASES FOR SALE
Cybercriminals, by publishing ads on Facebook, informed about the alleged opportunity to purchase lost packages or abandoned luggage for 9 PLN. In reality, the website linked from the ad aimed to phish for payment card details. Sebsequently, the criminals attempted to commit fraud using a "subscription model".
Example Facebook Ads (Fig. 12-13):
Figure 12 Fakes ads - sales for 9 PLN 1/2
Figure 13 Fakes ads - sales for 9 PLN 2/2
Phishing sites (Fig. 14-15):
Figure 14 Phishing sites - sales for 9 PLN 1/2
Figure 15 Phishing sites - sales for 9 PLN 2/2
INCOMPLETE ADRESS - POLISH POST IMPERSONATION
Cybercriminals, impersonating Polish Post, informed about the need to update the address. They used iMessage (Apple’s messaging feature) to distribute the messages. A similar phishing campaign using Polish Post image occurred several times in 2023 and 2024.
Fake message (Fig. 16):
Figure 16 Fake iMessage - impersonating Post Polish
Phishing sites (Fig. 17):
Figure 17 Phishing sites - impersonating Post Polish
CONFIRM ADRESS VIA LINK - INPOST IMPERSONATION
Criminals impersonated courier companies, this time using InPost’s image, informing about the need to complete the delivery address. They encouraged clicking a link leading to a phishing site to steal payment card information.
Fake SMS message (Fig. 18):
Figure 18 Fake SMS - impersonating InPost
Phishing site (Fig. 19)
Figure 19 Phishing sites - impersonating InPost
VOD PLATFORM IMPERSONATION
In May 2024, criminals used the image of popular video platforms to steal payment card data and streaming account login credentials.
Fake e-mail message (Fig. 20):
Figure 20 Fake email message - impersonating Netflix
Phishing site (Fig. 21):
Figure 21 Phishong site - impersonating Netflix
"MOM/DAD, I BROKE MY PHONE"
Criminals prepared a phishing campaign in which they impersonated a family member. They sent SMS messages, requesting to continue the conversation on WhatsApp. Then, through text conversations, they persuaded the victim to make a transfer to a bank account number they provided. These were bank accounts managed by the criminals.
SMS messages (Fig. 22):
Figure 22 SMS messages - impersonated a family member
Example of a conversation through WhatsApp, but only in the Polish language version (Fig. 23):
Figure 23 Example of a conversation through WhatsApp
Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.
That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: Twitter, LinkedIn and Facebook.