Spotting Xmas Phish
Case Study: “NatWest Bank” Phishing Scam
As we end 2016, we find ourselves inundated with the same cyber and phishing attacks that started the year, but on a much grander scale. The Yahoo data breach which opened up the details of 1 billion user accounts from 2013 (and possible still current accounts) cherry-topped the cybercrime year with what can only be described as a real low point for the company.
Yet, the vast majority of hacking incidents involve breaching the accounts of people and small businesses, sometimes in order to get hold of systems and funds to then conduct the larger hacks and compromise the integrity of much bigger targets. It’s all a game.
Example: Spotting the Scammers
This week, we had one attempt come through from a contact who asked us if it was genuine. From the look of such emails, which have become every more sophisticated and indeed, look the part. We first noticed the improved look of emails in the quality of PayPal phishing scams 4 years ago. Now, they send emails purporting to be from banks and other genuine establishments.
Phishing scams are sent out through automated emails systems in their millions. The aim it just to catch a fraction of users and they try several tricks to get you to click and hand over your key financial details.
Below is the email we received from our contact. It purports to be from NatWest and didn’t get caught by their outlook.com spam/junk filter.
So it arrived in their legitimate inbox and even notified them on their Android phone app. It looks pretty legitimate. Even with an advert for “IBM Security” in the form of their Rapport software. From the email itself, it doesn’t appear like there are any giveaways. Indeed, NatWest’s own website references exactly these images.
The Spots, Key Tips
It’s an Image!
However, it’s an image! The whole email is an image! The contact received this on Outlook. Outlook normally blocks images, causing most messages to contain nothing but outlines, yet it failed to block this entire image in the email! So it showed up as an entire email, circumventing a number of safety features within several layers of protection (Junk/Spam and Image blocking are but two). Crafty!
Tip: Never click links or enable images in emails! Simply the act of enabling an image allows spammers and scammer to know you’ve looked at it and the account is real. Your account typically then goes on a database of confirmed accounts and is sold on to other scammers and spammers.
Not the Contact’s Bank
This is the single thing that saved them! The problem is that NatWest in the UK is part of the largest banking group. Including RBS, Ulster Bank and NatWest. It is the second biggest banking group in the UK. Second only to HSBC Holdings. It’s obvious the scammers targeted statistically, since aiming at, say, Metro bank, or other challenger banks, would have been to easy to spot and wouldn’t have given them the numbers to target.
Tip: Always check the sender address. Aside from the subject, it is often the largest item on the email view pane. Make sure it comes from the place it claims it does first. If it does come from your bank, it is still not conclusive, but is a way to quickly and easily filter out scams as a first line of defence.
No Recipient Email
This is common to almost all phishing scams. The “To” address is empty, contains an invalid email address or uses an email address that is not the recipient’s.
Tip: After the sender address, check your own recipient address. Aka “To” on the email. Many scam emails send in bulk. So your email won’t appear there.
From Address not Consistent
The “from” address shown above the “Sent” field is associated with “accountusagestatistics.com” which is certainly not within NatWest’s domain. Indeed, the address, whilst registered, doesn’t go anywhere. There is no server attached to it that serves web traffic.
You may ask, are they owned by NatWest? Easy enough. Running a WHOIS search on this address, computer says “No”.
Anonymity Layer 1: Cloud Services
I’ve highlighted the key aspects of the account here. Tucows, a legitimate hosting and registration service, was used to register the domain and the name services are running of “Microsoftonline.com” which, for the unfamiliar, is a genuine address. It is used to host a variety of Microsoft products including Office 365 and Dynamics 365 amongst others.
Cloud services are extremely useful, for a number of reasons, but they can also be used as a way to hide Scammer services, especially since many large cloud providers often 12 months free, and crucially, it allows spammers to send phishing emails at immense scale if they’re willing to pay for it!
Now, the address looks like an original registration. The person who registered it, is based here in the UK and whilst protecting their anonymity for now, it is definitely not NatWest. It is entirely possible this person is not at all aware their details have been used to register a domain name and emails sent from that account. The email address of the registrar is not a UK email and it is not apparently theirs.
This seems to be an increasing trend. People have found their names and addresses used to register domain names without their knowledge. The first they become aware is when something goes wrong. Say, other services deactivated with no explanation bar breach of terms and conditions or in some extreme cases, the police appear on their doorstep and they face arrest and criminal charges.
Tip: Never click links or use numbers sent in these emails. Don’t reply to them either. Dig out your internet banking addresses and phone numbers from statements, or your online banking site which you should find manually and give the bank a call yourself.
What’s In the Envelope
For the techies amongst us, I got the contact to send me a copy of the email for further examination. We are already happy this is a phishing scam. Now, to trace it back to where it was sent from. Looking at the email envelope, a number of elements spark our interest.
Source is Outlook.com
This confirms to me that Office 365 was used to create the email and it be sent via Outlook.com. In case you are wondering, opening the in another application confirms that the source IP and domain names were used.
Nslookup
The key subtypes of DNS record associated with accountusagestatistics.com do not exist either. Neither do TXT and PTR records, which interestingly would normally have rejected it as spam. However, Outlook itself works fine of course, so no rejection from that address.
Summary
Our 5 top tips to guard yourselves against this type of scam. These should all be used together but if they fail one, it’s a scam (and this works for spam too).
- Never click any links or open any attachements
- Always check the sender address.
- Check the recipient address is genuinely yours
- Never click links or use numbers sent in these emails.
- Don’t reply to them either.
- If in doubt, manually dig out your internet banking addresses and phone numbers from statements, or your online banking site and give the bank a call yourself.
Banks are always on the lookout for scam emails. Also many banks have phishing reporting emails. Simply forward the phishing email to them.
Banks need the help of the public to report phishing scams. They are always grateful and do attempt to take action, since they can’t see or control what customers (and non-customers, as we’ve seen) receive.
I’ve put together a list of the top banks’ phishing email addresses below. If you receive a suspicious or confirmed phishing email, follow the above tips then let them know by forwarding the email in question to the appropriate address. Stay safe!
Barclays internetsecurity@barclays.co.uk
The Cooperative Bank Ihaveseenascam@co-operativebank.co.uk
HBOS security@bankofscotland.co.uk
HSBC phishing@hsbc.com
Lloyds Bank emailscams@lloydsbanking.com
Metro Bank phishing@metrobank.plc.uk
NatWest phishing@natwest.com
RBS phishing@rbs.co.uk
Sandtander phishing@santander.co.uk
Sainsbury’s Bank business.services@sainsburysbank.co.uk
Tesco Bank phishing@tescobank.com
TSB emailscams@tsb.co.uk
Virgin Money report.phishing@virginmoney.co
Yorkshire Bank reportphishing-yb@ybonline.co.uk
Epilogue
We have contacted both the bank and the person in question to inform them of the use of their domain and offered them a chance of comment. We will update this article should that arise and they wish to exercise their right to reply.
This article is offered as free, general advice and comes with no warranty, explicit or otherwise. It does not constitute professional advice for the purposes of the law. Each individual case is different and we cannot be held responsible for anything that occurs as a result of following this advise or not.
Ethar writes about anything and everything IT. He’s a coder and geek at heart, with a bit of a hackers mind and runs a systems engineering company when he’s not.
Don’t forget to share this knowledge with your friends, family and colleagues by hit-the-heart recommendation.
