服务器安全防护_抗ddos是什么意思_免费试用
数据
国内DDoS防御_香港高防IP防护DDoS攻击-寒冰互联
寒冰云联
2022-06-29 10:40

Not only do the phishing pages mimic HMRC's web interface meticulously, but they also have entire online banking workflows built into them, depending on who your banking provider is.

Spam blocklist maintainers are constantly catching up and adding these malicious domains to their databases.

As observed by BleepingComputer, the smishing scam starts with a text message informing the recipient that they are eligible for a tax rebate as they had paid "emergency tax" this year.

If you have received similar suspicious messages, phone calls, or emails that claim to come from HMRC, you are encouraged to report these to HMRC.

You would think a user would know better not to click on a .com domain for accessing government services. However, some UK government services are offered via ".com" domains to the public.

At the time of writing, BleepingComputer has observed the following domains associated with this campaign, some of which are still active:

In tests by BleepingComputer, the workflow exited at this step, and the user was redirected to the real HMRC website.

Yet householdresponse.com is an entirely legitimate website used by the UK government to collect updates on household voter information from residents.

The smishing campaign is concerning as it employs multiple HMRC phishing domains and tactics, with new domains added every day as older ones get flagged by spam filters.

On the next step, the form shows a randomly picked refund amount value between £200 and £400 that the taxpayer is eligible to claim.

A "processing" interstitial page is shown validating some of the fields gathered thus far.

The list includes Barclays, Clydesdale, Halifax, NatWest, HSBC UK, Metro Bank, Nationwide, Citi, Lloyd's, TSB, Co-op, Royal Bank of Scotland (RBS), Santander, Tesco Bank, and Yorkshire Bank.

But this isn't your basic one-page phishing form. The extensive workflow employed by this campaign spans multiple steps and pages.

Despite the thoroughness of the threat actors behind this campaign, they didn't do a splendid job of securing the collected data—hardly their concern, which makes this campaign even more dangerous.

服务器安全防护_抗ddos是什么意思_免费试用

BleepingComputer has also come across variations of this smishing campaign employing scaremongering tactics, such as texting the user with:

An advanced HM Revenue and Customs (HMRC) tax rebate scam is targeting UK residents this week via text messages (SMS).

Update November 9, 2020: Added taxclaim-govuk.com domain to list.

These online banking lookalikes further collect user's banking credentials, memorable words, 2-factor codes, etc.

One phishing domain used by the campaign was observed leaking visitor logs with over 4,500 records. The domain leaking these logs is no longer accessible.

Additionally, you may also report instances of such scams to BleepingComputer using our online form.

It starts with a simple Tax Refund claim form asking for the user's name and postcode.

One such example is householdresponse.com, which mimics the GOV.UK color scheme and UI so well it once had me fooled if it was a phishing domain.

It is also interesting to note that these domains were registered quite recently.

The extensive nature of this campaign and thoroughly built online banking workflows indicate this is a well-planned smishing project designed by skilled threat actors.

However, in other tests where a real bank branch sort code was entered, and the test data provided would seem 'real' enough to a machine, we observed the redirection would lead to the online banking phishing pages hosted on the same phishing domain.

The phishing pages also have validations built into them, so entering invalid values for certain fields would throw errors. This error validation may further trick a user into believing the webpage is legitimate.

BleepingComputer tested the phishing pages with real Halifax and NatWest bank branch sort codes, which confirmed our suspicions.

The details collected by this campaign include but are not limited to the following, depending on which phishing domain you are on.

On analyzing the logs, BleepingComputer discovered, well over 1,000 unique IPs had accessed this phishing campaign.

For example, hmrc-online-verify.com has a November 4th, 2020 registration date, with the other domains having been registered on subsequent days.

On clicking "Start," the subsequent pages collect a considerable amount of information from the unsuspecting user.

The fun begins after some of this information has been submitted by the user.

On clicking the link in the message, the user is taken to what looks like a GOV.UK site.

BleepingComputer discovered, the campaign has entire sets of phishing sites mirrored from real websites of prominent UK high street banks to target their customers.

,WAF防御cc攻击,淘宝是如何防御ddos,哪个cdn可以防御cc,网站高防cdn,cc防火墙