“Vishing” you a Merry Christmas and a “Smishing” New Year!

Phishing is one of the most popular online scams with the holidays seeing no exception. The season is rife with phishing scams as threat actors blend in amongst the multitudes of legitimate messages from popular brands.

Phishing scams are executed through emails, text messages (SM[i]Shing), phone calls (Vishing), and social media, becoming more sophisticated over the years, making them harder to detect and block. Phishing attackers use social engineering tactics to exploit specific consumer trends by impersonating well-known brands to deceive customers. All businesses operating online are potential targets, as these attacks target employers or customers to gain access and obtain sensitive data or systems. 

Email

A shocking amount of email traffic is spam, with a large chunk of that spam purposely crafted for fraudulent purposes, to compromise communication, or gain access to data, networks, or funds. Threat actors often ask for various types of personal information through phishing emails, including: date of birth, social security number, login details, home address, phone numbers, credit card details, or passwords. This information is then used by the threat actor to impersonate the victim, apply for credit cards or loans, open bank accounts, and commit other fraudulent acts. Furthermore, this information can be used for more targeted and sophisticated attacks like spear phishing or business email compromise (BEC).

Once a victim acts upon the requested action in the email, the phishing occurs. Requested actions can include clicking an attachment, updating a password, enabling macros in a Word document, responding to a social media friend or contact request, connecting to a new wifi, or clicking on a website link.

Below are some of the phishing emails DarkTower employees have received this season:

Mobile Phishing- Smishing

While signing up for text alerts to keep track of package arrivals can be a great method to ensure items have been delivered, threat actors have taken advantage of this feature to impersonate carriers and other entities to exploit consumers.

Smishing is when a threat actor uses SMS phone messaging to impersonate a trusted entity in an attempt to steal personal information or install malware on a device. Typically, the end user is social engineered into clicking on a link within the text message which either auto downloads malware on the victim’s device or leads victims to a login page to input certain personal information.

Threat actors generate phone numbers randomly which are repeatedly used until they get a hit. Threat actors entice their targets via special offers, saying a prize has been won, package delivery claims, energy support payments from the Government, and more.

Below are some of the smishes DarkTower employees have received this season:

Voice Phishing- Vishing 

The holiday season is a busy time where individuals are calling to reconnect with family and friends, ensure their packages are arriving on time, donating to their favorite charities, and more. It is also a busy time for vishers! 

Phishing which occurs over voice calls is known as vishing. Threat actors utilize social engineering tactics over phone calls to deceive and exploit individuals into sharing sensitive personal information or even remote access into the victim’s computer. These threat actors attempt to impersonate well known entities including credit unions, banks, government agencies, or tech support. 

Once on the phone, the threat actor will try to manipulate the victim through various types of techniques including robocalls, spoofed caller ID, voicemail drops, text messages with a number to call, software alerts with a “tech support” number to call, and impersonated calls.

Social Media Phishing

Did the holidays even happen if we didn’t see it on Facebook?!

Social media has become part of our everyday lives used to keep up with family and friends, the news, connect with the world, celebrate, fall in love, make purchases, and much more. Social media is also used by businesses to keep their consumers informed about all the latest products, events, and offers and by their employees for work and personal activities. All of this then in turn makes these platforms attractive to threat actors especially during the holiday season.

Phishing attacks over social media are executed for the purpose of collecting social media account login credentials, credit card information, and personal information that can be used to launch other scams and attacks. Social media is one of the fastest growing attack surfaces; threat actors exploit its ubiquity and develop niche tactics for each social media site. 

Threat actors create phishing sites that mimic social media login pages which capture credentials as they are inputted. With the credentials, the threat actor has full access to the victim’s account. This can also expose the victim to more damage if they use those same credentials to log on to other social media sites, bank accounts, and more. Once the threat actor has access to the social media account, they can spy on the victim, take over the account and pose as the legitimate user, and also request personal information from the victim’s friends or followers. 

Another scam conducted over social media is a romance scam. Many people are lonely during the holiday season, making it an ideal time for threat actors to target victims, build trust and take advantage of their vulnerability. The threat actor manipulates the victim into sending money or coercing the victim to engage in criminal activity.  Many times the social media profiles used by criminals appear to be individuals who are military officers, offshore oil rig workers, or doctors who are part of international healthcare charities – all occupations that make it seem justifiable if the individual is unavailable to speak by phone, is uncommunicative for long periods of time, etc.  Romance scams are a complex topic that deserve their own blog post, so stay tuned for more from DarkTower on this topic in the coming weeks.


Examples of Fake Military Social Media profiles often used for Romance Scams