PROTECT - INTELLIGENCE
Phishing
April 2016
1
PROTECT - INTELLIGENCE
Introduction:
The purpose of this document is to provide an analysis of the most prevalent trends and characteristics of phishing campaigns in the UK in March 2016. The
analysis is based on the information reported to Action Fraud via the Attempted Scams or Viruses (ASOV) Reporting Tool as well as on the data obtained
from the NFIB phishing inbox which consist of phishing emails reported by members of the public.
Phishing is the attempt to acquire sensitive information (e.g. usernames, passwords and credit card details) or steal money by masquerading as a
trustworthy entity in an electronic communication such as email, pop-up message, phone call or text message. Cybercriminals often use social engineering
techniques to trick the recipient into handing over their personal information, transfer money or even download malicious software onto their device.
Although some phishing scams can be poorly designed and are clearly fake, more determined criminals employ various techniques to make them appear as
genuine. These techniques can include:




Identifying the most effective phishing ‘hooks’ to use in the message to get the highest click-through rate.
Including genuine logos and other identifying information of legitimate organisations in the message.
Providing a mixture of legitimate and malicious hyperlinks to websites in the message – e.g. including authentic links to privacy policy and terms of
service information of genuine organisation. These authentic links are mixed in with links to a fake phishing website in order to make the spoof site
appear more realistic.
Spoofing the URL links of genuine websites – The most common tricks are the use of subdomains and misspelled URLs as well as hiding malicious
URLs under what appears to be a link to genuine website which can be easily revealed upon hovering the mouse over it. More sophisticated
techniques rely on homograph spoofing which allows for URLs created using different logical characters to read exactly like a trusted domain. Some
phishing scams use JavaScript to place a picture of a legitimate URL over a browser’s address bar. The URL revealed by hovering over an embedded
link can also be changed by using JavaScript.1
WARNING: THIS DOCUMENT MAY CONTAIN LINKS TO MALICIOUS WEBSITES OR EMAIL ADDRESSES, DO NOT CLICK ON
ANY HYPERLINKS CONTAINED IN THIS DOCUMENT.
1
http://searchsecurity.techtarget.com/definition/phishing
2
PROTECT - INTELLIGENCE
1. Action Fraud: Attempted Scams or Viruses (ASOV) Reporting Tool
The ASOV reporting tool, which is operated by Action Fraud, allows members of the public to report instances of phishing where someone has been
approached with a scam message (via email/text/or phone) but has not suffered a financial loss as a result of it and has not exposed their personal details
to a scammer. The analysis in this section is based on the data received by Action Fraud in the month of April 2016.
1.1 Volume of Phishing Reports Received
April 2016 saw the highest ever level of ASOV reporting with a total of 16,451 phishing reports submitted. This is on average 548 reports made per day,
which is a 136% increase compared to April 2015 and a 73% increase compared to March 2016.
Average Number of Phishing Reports Received per Day: Apr 2015 - Apr 2016
600
548
500
468
382
400
300
315
299
232
270
255
200
205
210
181
100
317
270
0
Apr-15
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Jan-16
Feb-16
Mar-16
Apr-16
3
PROTECT - INTELLIGENCE
1.2 Communication Channels for Phishing
1.3 Types of Phishing Request
In April 2016, the most common communication channel used for phishing
distribution continued to be email (78.4%) followed by landline phone
calls (10.4%) and text message (6.3%).
Similarly to the previous months, a request to click on a malicious hyperlink
contained in the message was stated in over one third of all ASOV phishing
reports. The second most common type of request was to transfer money
(16%), which is an increase compared to March (9%) and February (8%).
Requests to provide personal information or to reply to an email appeared in
11% of reported cases each, which is 3 to 4 percentage points lower than in
the previous months. There has also been a drop in a number of requests to
provide banking details by ‘would be’ victims, from an average of 11% in the
past months to 9% in April 2016.
Email 78.4%
Text
Message
6.3%
Landline
Phone
Call
10.4%
Landline Phone Call 10.4%
Text Message 6.3%
Mobile Phone Call 1.5%
6%
Other 1.3%
Click weblink 38%
2%
7%
Transfer money 16%
Post 1.1%
Email
78.4%
Social Media 0.8%
Provide personal information 11%
9%
Weblink
38%
Popup 0.3%
Instant Messaging 0.09%
Fax 0.02%
Reply to the message 11%
Provide banking details 9%
Reply
11%
Other 7%
Personal
Information
11%
Transfer
Money
16%
Open attachment 6%
Make contact 2%
4
PROTECT - INTELLIGENCE
1.4 Phishing ‘Hooks’
Phishing ‘hook’ is a social engineering method which is used to masquerade as a trustworthy entity in communication in order to trick the potential victim
to follow an instruction or request contained in the message for malicious reasons. Throughout April 2016, the most prevalent phishing ‘hooks’ identified in
the reported data continued to be within ‘Other hooks’ category, followed by ‘hooks’ which referred to HM Revenue and Customs (HMRC) and retail banks.
The phishing hooks impersonating banks most commonly referred to Barclays, NatWest and Santander.
Phishing Hooks: April 2016
10000
8078
8000
6000
4000
2866
1714
2000
803
688
549
526
369
202
186
141
77
65
IT Company
Paypal
Mobile
Government
Agency
Lottery
Job Offers
Charity
Amazon
Medical
Ebay
64
59
35
29
DWP
Student
Loan
Company
0
Other
HMRC
Bank
Social Media Facebook
Top 10 'Banking Hooks': April 2016
350
300
289
250
205
200
188
150
90
100
47
50
39
25
Tesco Bank
Halifax
18
10
8
0
Barclays
NatWest
Santander
Lloyds TSB
HSBC
Royal Bank of Scotland Nationwide
Capital 1
5
PROTECT - INTELLIGENCE
The analysis of the ‘Other phishing hooks’ shows that, as in the previous months, the most reported individual hook was Talk Talk, followed by Apple/iTunes
and BT.2 The highest number of reports in this category was associated with a collection of hooks which impersonated various debt collection firms.
Top 10 'Other Hooks': April 2016
500
434
355
400
300
196
200
154
119
100
87
68
58
48
43
Microsoft
Marks and
Spencer
Morrisons
DHL
Virgin Media
0
Debt collection
firms
TalkTalk
Apple/iTunes
BT
Telephone
Preference
Service
2
It should be noted that the level of analysis of the ‘Other phishing hooks’ is limited due to the presence of free text fields in relation this category within the ASOV reporting tool. Although
the best possible effort has been made to calculate and identify the trends in this category, the figures presented below may be understated.
6
PROTECT - INTELLIGENCE
2. NFIB Phishing Inbox
The findings presented below are based on the analysis of nearly 24,000 phishing emails reported to the NFIB phishing inbox during the period of 1st to 30th
April 2016.3
2.1 Subject Headings of Phishing Campaigns – Top 15
The below table represents the Top 15 most prevalent subject headings which appeared, in exactly the same form, in the phishing emails forwarded to the
NFIB phishing inbox by members of the public during April 2016. The analysis shows that the most popular phishing campaigns in circulation referred to
claims for money due to a recipient with the top scam being HMRC tax return claims, as well as to loyalty rewards available to customers of such retailers as
Morrisons and Aldi.
A new type of phishing campaign entitled ‘University Grant Information’ has been identified in the Top 15 dataset, which specifically targeted students
from at least four different universities in the UK, by informing them that they have been awarded a grant by the Department for Education. The campaign
has been designed to obtain students’ personal details including online banking credentials, NIN, driving licence number and mother’s maiden name.
Message Title
1
2
3
4
5
6
7
8
Self Assessment Tax Return
Your Morrisons giftcard
You Have Been Chosen
SANTANDER ALERTS SERVICE UPDATE
University Grant Information
Open your M&S Complimentary Prizes
UN Office Of International Oversight Services
We here at ARGOS have an important message for you!
Number of
emails
reported
108
106
81
58
57
47
46
45
Message Title
9
10
11
12
13
14
15
Click for your M&S Complimentary Prizes
Your reservation # BH0-0089-UK
We need your confirmation for this ALDI surprise treat
Aldi Rewards Giveaway
your package order # BHX-74647-UK dispatched
FROM THE FEDERAL BUREAU OF INVESTIGATION (FBI).
Your Aldi reward is ready for pickup
Number of
emails
reported
38
37
37
34
33
32
31
3
Once the reporting person submits their online ASOV form to Action Fraud, they are directed to forward the phishing email to a dedicated phishing inbox of HMRC, DWP, all major banks,
PayPal, eBay, Amazon, Facebook or Student Loans Company if the scam message purports to be originating from one of these organisations, or to the NFIB phishing inbox in all other cases
7
PROTECT - INTELLIGENCE
2.2. Email Addresses of Phishing Scammers – Top 15
The table below represents the Top 15 most prevalent email addresses used to send out phishing emails to different members of the public. Email spoofing
to impersonate well known companies continued to be the method of choice in phishing campaigns circulated in April 2016. It has been an ongoing trend
that email addresses of companies such as PayPal, Barclays and NatWest are the most prone to forgery.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Email address
*[email protected]*
*[email protected]*;*[email protected]*;
*[email protected]* and other variations
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
*[email protected]*
Number of emails
reported
120
57
18
18
17
17
16
16
15
15
15
13
13
12
12
Phishing campaign theme
Various scams
University Grant Information scam
Compensation payment scam
Various scams
Compensation payment scam
Service scheduled for disconnection scam
Barclays online banking suspension scam
Credit card application scam
PayPal account suspension scam
Inheritance payout scam
Santander account summary scam
NatWest online banking suspension scam
PayPal account overview scam
Fake invoice scam
Tax return notification
8
PROTECT - INTELLIGENCE
2.3.
Malicious URLs Contained in Phishing Emails – Top 15
The below table represents the Top 15 most prevalent URLs which appeared, in exactly the same form, in the phishing emails forwarded to the NFIB
phishing inbox by different members of the public during April 2016. Of the Top 15, seven URLs were identified as malicious vectors in phishing scams
purporting to be from banks, with Santander and NatWest being the most popular hooks. The recipients were asked to click on them in order to reactivate,
verify or check their banking services.
At least two URLs have been utilised in the ‘University Grant Information’ scam, which upon clicking redirected the students to a webpage containing a
form to fill out with their personal and bank account details.
Malicious URLs
1
2
3
4
5
6
7
8
9
ht*p://googlsar.com/loo
ht*p://sciencebasedhealth.com/images/MySubscriptions.php
ht*p://latosensuac.com.br/UPtarefas/index.php
ht*p://erdelyikopo.com/com_inc/stopeign
ht*p://googlosar.com/goo
ht*p://isasutweb.com/wp-content/com_inc/poltre
ht*p://presentedosanjos.com.br/kj.htm
ht*p://imbecile.me/mp.htm
ht*p://livin.hk/MBT-sko-salg/index/www/clarinet1.htm;
ht*p://livin.hk/MBT-sko-salg/index/www/clarinet4.htm;
ht*p://livin.hk/MBT-sko-salg/index/www/clarinet5.htm;
Number of
emails reported
20
20
17
16
13
12
11
11
Phishing campaign theme
Apple invoice scam
Santander account summary scam
NatWest closed account scam
University Grant Application scam
Fake Apple/iTunes invoice scam
University Grant Information scam
Santander online banking scam
NatWest online banking scam
11
HMRC tax refund scam
10 ht*p://ow.ly/4n5oeL
11 ht*p://alcanfor.cl/hav.htm
12 ht*p://bit.ly/1UEZWUH
10
10
10
13 ht*p://poonjiaji.com//wp-includes/js/ID.php
14 ht*p://ranbiz.com/wp-content/themes/twentyfifteen/inc/index.php
15 ht*p://www.tien-chang.com/mz.htm
9
9
9
DHL parcel delivery scam
Barclays online banking scam
Utility Warehouse service
disconnection scam
DHL parcel delivery scam
Santander online banking scam
Santander online banking scam
9
PROTECT - INTELLIGENCE
Notes & Guidance
This report may be circulated in accordance with the protective security marking shown below and caveats included within the report. The information contained in this
report is supplied by the City of London Police in confidence and may not be shared other than with the agreed readership/handling code without prior reference to the
City of London Police. Onward disclosure without prior authority may be unlawful, for example, under the Data Protection Act 1998.
The cover sheets must not be detached from the report to which they refer.
Protective Marking:
FOIA Exemption:
Suitable for Publication Scheme:
Version:
Storage File Location:
Purpose:
Owner:
Author:
Review By:
PROTECT
No
No
Cyber Crime Phishing_V1.0
G:\OPERATIONAL\Fraud_Intel\CYBER_PROTECT_TEAM\Phishing_Analysis
To inform strategy
ECD
Analyst -103804
Senior Analyst
Practical Guidance for PROTECT documents
This document is classified PROTECT. In government and law enforcement this determines the security measures that are required to protect it. This means:

Only permit members of your staff who have a genuine ‘Need to Know’ to see the contents of the document;

Do not copy the document or any of its pages without written approval of the City of London Police Head of Research and Analysis;

Do not pass on the document, or disclose any information contained in it, to any third party (outside of your business) without written approval of the City of
London Police Head of Research and Analysis;

Do not read or work on this document in public areas;

Lock the document in a secure cabinet when it is not being used;

Only dispose of this product by shredding, pulping or incineration.
10