The season of Love and …Fraud
February marks the season of Valentine’s Day, merchants offer red roses, chocolates, and a variety of hearts in all colors, shapes and forms, decorates the stores and assorted web pages globally.
Indeed, a festive season. But such occasions also seem to be an opportunity for cybercriminals who insist on participating actively and spoil the atmosphere for many online lovers out there.
In our 2023 Cyber Security Report, it has been noted that the proportion of email-delivered-attacks during 2022 has increased, reaching a staggering record of 86% of all file based in-the-wild attacks. Data shows an increase in the utilization of various types of archive file formats, as threat-actors attempt to conceal malicious payloads.
And indeed, since the beginning of February, our researchers flag approximately 1 in every 1000 emails relating to Valentine’s Day was found to be malicious or suspicious.
Not all Valentine’s Day webpages are filled with Love . . .
In January, a total of 12,441 new domains were registered containing the terms “Love” or “Valentine” in their name. This is a 54% increase compared to the average in the previous three months, significantly higher than the overall increase in new domains in this period, which stood at 36%.
The trend continued in February where in the first week alone, there were more than 2900 such new domains that were registered. Out of these recent new domains, approximately one out of each 10 were found to be potentially risky, based on the suspicious content included or the slightly different URL inserted.
In the past month, webpages containing Love or Valentine (regardless of when they were created), which were actually accessed or received as links, had double the probability of being found malicious than the overall average.
Phishing for user’s information
Phishing is a type of cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity. Phishing messages manipulate a user, causing them to perform actions like installing a malicious file, clicking a malicious link, or divulging sensitive information such as access credentials. Phishing is the most common type of social engineering, which is a general term describing attempts to manipulate or trick computer users. Social engineering is an increasingly common threat vector used in almost all security incidents. Social engineering attacks, like phishing, are often combined with other threats, such as malware, code injection, and network attacks. While phishing content can be delivered in a variety of ways, emails are the most common medium.
“Free” can often cost you a lot
In the beginning of February we found a campaign sending emails titled “Your valentine’s day reward has arrived!” sent from multiple senders with addresses such as
[email protected] and shown to have a sender name of ‘Ace Hardware Reward’ or ‘Home Depot’.
The email content (see below) showed an image of a giftcard with a link to a website (wwwcjoint.com) registered in December 2022. Currently the domain is parked (does not contain any real content), but might have already been used on the day the emails were sent, most likely to collect user or payment information.
How to Recognize Phishing Emails
Phishers use a wide range of techniques to make their phishing emails look legitimate. These are some of the most commonly used techniques, which can be used to identify these malicious emails, some of which are commonly used in such festive scams including for Valentine’s Day.
For the Love of ….AI Phishing
With the rise of new AI tools like ChatGPT, AI is emerging as a useful and widespread tool to leverage to trick people into giving away sensitive information or visiting malicious websites.
One of these ways includes phishing scams where chatbots can be programmed to send messages that appear to be from a trustworthy source, such as a romantic interest or an online retailer offering special deals. The message might contain a link that leads to a fake domain website designed to steal personal information, such as login credentials or credit card numbers.
Basically, lookalike domains are designed to appear to be a legitimate or trusted domain to a casual glance. For example, instead of the email address [email protected], a phishing email may use ‘[email protected]’ or ‘boss@compаny.com’. The first email substitutes rn for m and the second uses the Cyrillic ‘ɑ’ instead of the Latin ‘a’. While these emails may look like the real thing, they belong to a completely different domain that may be under the attacker’s control.
Phishers may also use fake but plausible domains in their attacks. For example, an email claiming to be from Netflix may be from ‘[email protected]’ to highlight new romantic programs added during this season. While this email address may seem legitimate, it isn’t necessarily owned by or associated with Netflix.
Love Scams: Chatbots can be used to impersonate potential romantic partners, leading people to believe they are in an online relationship. The chatbot might ask for money or sensitive information, such as a social security number or home address, under false pretenses.
Greeting Card Scams: Chatbots can be programmed to send automated messages that appear to be from friends or family members, offering Valentine’s Day greetings or virtual cards. The message might contain a malicious link that installs malware or infects the recipient’s device.
Loving all things new – Unusual Attachments
A common goal of phishing emails is to trick the recipient into downloading and running attached malware on their computer. For this to work, the email needs to carry a file that can run executable code.
As a result, phishing emails may have unusual or suspicious attachments. For example, a supposed invoice for purchased flowers to send to your lady/male love may be a ZIP file or an attached Microsoft Office document may require macros to be enabled to view content. If this is the case, it is probable that the email and its attachments are malicious.
The Language of ‘Love’ – Incorrect Grammar or Tone
Often, phishing emails are not written by people fluent in the language. This means that these emails can contain grammatical errors or otherwise sound wrong. Real emails from a legitimate organization are unlikely to have these mistakes, so they should be a warning sign of a potential phishing attack. However, with the emergence of new AI tools such as ChatGPT, cybercriminals are using such tools to instead craft such malicious emails in near perfect language, which makes being aware and vigilant all the more essential.
Another tell-tale sign to look out for are emails with the wrong tone or voice. Companies, colleagues, etc. talk and write in a certain way. If an email sounds too formal or too informal, stilted, or otherwise odd given its sender, then it might be a phishing email.
Phishing emails are designed to steal money, credentials, or other sensitive information. If an email makes a request or a demand that seems unusual or suspicious, then this might be evidence that it is part of a phishing attack.
What to Do if You Suspect a Phishing Attack
- Don’t Reply, Click Links, or Open Attachments: Never do what a phisher wants. If there is a suspicious link, attachment, or request for a reply don’t click, open, or send it.
- Delete the Suspicious Email: After reporting, delete the suspicious email from your Inbox. This lessens the chance that you’ll accidentally click on it without realizing it later.
How to Protect Against Phishing Emails
Phishing emails are one of the most common types of cyberattacks because they are effective and easy to perform. While awareness of common phishing tactics and knowledge of anti-phishing best practices is important, anti-phishing solutions can help to detect and block attempted phishing campaigns.
Check Point Harmony Email & Collaboration Suite Security provides Complete protection for Microsoft 365, Google Workspace and all your collaboration and file-sharing apps.