Overview of selected scams - September 2024

 

We present the report on identified threats and the methods of operation by criminals for the month of September 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material.

The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", phishing schemes posing as streaming platforms, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.

FALSE INVESTMENT SCHEMESS

A well-known but still very popular fraud scenario is fake investments. This scam involves cybercriminals impersonating famous people or institutions to entice potential victims to invest money with promises of high returns, only to cause significant financial losses.  Additionally, in September 2024, CSIRT KNF analysts also reported 345 fake profiles that posted fake investment ads for blocking (fig. 1).

 

Figure 1 Fake investment ads distributed on the Facebook platform

 

Fake ads were also published on the Instagram platform (fig. 2).

Figure 2 Fake invest ads distributed on the Instagram platform – deepfake

 

After clicking on the ads link, the victim was directed to a website where the criminals attempted to steal their contact information (fig. 3).

 

Figure 3 Fake invest - a website designed to steal contact informations 1/2

 

A similar situation occurred with ads published through Google. For example, a phishing scheme impersonating Orlen was presented (fig. 4).

Figure 4 Fake invest - a website designed to steal contact informations 2/2

 

It also happens that the image of well-known institutions is exploited. In September 2024, we observed campaigns impersonating, among others, Bank Peako (fig. 5), the National Bank of Poland (fig. 6), and the Polish Financial Supervision Authority (fig. 7).

Figure 5 Fake invest - impersonation of Bank Peako

 

Figure 6 Fake invest - impersonation of NBP

 

Figure 7 Fake invest - impersonation of NBP and KNF

 

A recurring pattern is also the second stage of the discussed scam. In this phase, criminals publish information about a supposed opportunity to recover previously lost funds. In reality, this is yet another attempt to deceive individuals who had already fallen for the initial scheme (fig. 8).

 

Figure 8 Fake invest - the seconf stage of the scam

 

Criminals campaign in Poland

In this section of the report, we present the identified criminal campaigns that directly impersonated organizations within the Polish financial sector and other organizations. Their aim was to steal personal information and banking product data.

 

 

IMPERSONATING POLISH BANKS
Criminals exploit the image of well-known institutions to increase the credibility of phishing campaigns, which is why they regularly impersonate Polish banks. In doing so, they fraudulently obtain information such as payment card details, online banking credentials, and BLIK codes. In September 2024, the preferred methods for distributing fake websites impersonating banks were SMS and email messages.

 

 

SMS IMPERSONATION OF BNP PARIBAS BANK

Criminals impersonated BNP Paribas Bank by sending SMS messages. They falsely claimed that access to online banking was expiring. They encouraged users to click on the link included in the message. In reality, it led to a phishing website designed to resemble a legitimate one, with the goal of stealing login credentials for online banking.

 

Example SMS messages (fig. 9):

 

Figure 9 SMS Message - Bank impresonation

Phishing site (fig. 10):

Figure 10 Phishing sites - impersonating Polish bank

 

 EXTRA 3% ON YOUR DEPOSIT: FRAUDULENT ADS ON THE FACEBOOK PLATFORM 

Criminals impersonating BNP Paribas and Bank Pekao published ads on the Facebook platform, claiming the possibility of receiving an additional 3% on deposits. In reality, the link led to a phishing site, where the attackers attempted to steal online banking login credentials.

 

Example fake ads (fig. 9):

Figure 11 Fake ads - impersonating polish banks

 

 

CHARITY FUNDRAISER

Cybercriminals published ads on the Facebook platform, claiming to be fundraising for those affected by the flood (fig. 12).

Figure 12 Fake ad - chairty fundraiser

 

If someone believed in the fundraiser and clicked on the link, they were directed to a website that misused the image of a legitimate foundation (fig. 13).

 

Figure 13 Fake sites - chairty fundraiser 1/2

 

Next, a form appeared prompting the user to enter their payment card information (fig. 14).

Figure 14 Fake sites - chairty fundraiser 2/2

 

DO YOU WANT THE PACKAGE? CLICK ON THE LINK!

Criminals impersonated courier companies, this time using the branding of InPost’s and DHL, claming that the delivery address needed to be completed. They encouraged clicking a link leading to a phishing site to steal payment card information.

 

Fake SMS messages and phishing sites (Fig. 9-10):

 

Figure 15 SMS messages and phishing sites - impersonating InPost

 

Figure 16 SMS messages and phishing sites - impersonating DHL

 

 

SENSATIONAL NEWS ON FACEBOOK

Cybercriminals posted fake content on Facebook, often featuring sensational news. When users clicked on these posts, they were directed to a webpage containing a false article. On this site, there was also a video that users were prompted to watch. However, to view the video, they were asked to "verify" their age by logging into their Facebook account. This allowed the criminals to gain control of the user’s account. Once in control, the attackers could post compromising content on behalf of the victim or send messages to their friends, attempting to scam them for money.

 

Fake posts on the Facebook platform (Fig. 17):

Figure 17 Fake posts on the Facebook platform

Phishing sites (fig. 18):

Figure 18 Phishing sites - fake posts on the Facebook pltform

 

Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.



That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: TwitterLinkedIn and Facebook.