Despite all the money major brands spend on logo design, people are terrible at remembering them. And it only makes it easier for scammers to trick people into clicking on malicious links.
On average, each month, a company sees 90 domains impersonating their business. These fake pages are set up by cybercriminals or even state-sponsored threat actors to conduct fraud.
The most common objective of setting up an impersonating domain is to collect an employee's or customers' credentials. Fake web pages contain brand names, logos, and some data-entry forms to be filled by the victim. Typically, such domains are the landing pages of links included in phishing emails or SMS messages sent to the victim to request to reset expired passwords.
Recently, the mail protection company INKY detected and analyzed such a type of attack. They noticed the US-based telecommunications provider Verizon's impersonation campaign in dozens of fake emails sent from various Gmail addresses. Experts noticed that phishers used mathematical symbols as part of the Verizon logo. The malicious link hidden in the phishing email led to the credential harvesting site.
Bukar Alibe, a Cybersecurity Analyst at INKY, told CyberNews it was a sophisticated attack in some ways.
“The phishers were clever by sending phishing emails from Gmail accounts because it allowed them to pass sender reputation checks. Hosting the fake Verizon site on a newly created domain creates a zero-day threat. It won't appear on threat intelligence feeds until it's discovered and reported. Lots of security vendors use computer vision to detect impersonation sites but the phishers stole elements from Verizon's real site and created a customized site with Microsoft elements so that makes it harder for computer vision to detect accurately,” he said.
However, visually, the use of math symbols to impersonate Verizon made the emails look fake and suspicious, so it's probably counterproductive for the phishers to do that, Alibe thinks.
Current Verizon's logo uses a bright red, asymmetrical "V" after the word "Verizon." The "V" element does look like a checkmark.
INKY found three fake logo variants in the wild. Each made use of a mathematical symbol for the red element. The three impersonations reproduced that element via:
All three types masqueraded as voicemail notifications. Verizon does provide voicemail services, including notifications.
Clicking on the button (black or red, depending on the version) prominently displaying the text "Play >" (made up of the word plus a close-angle-bracket character) led to a site that appeared to be Verizon's, but was in fact a malicious impersonation. The phishers could easily steal separate HTML and CSS elements from Verizon's real site to put together a custom job that included a correct version of the logo!
The bad guys created and registered the fake site — sd9-08[.]click — via Namecheap barely a month ago, according to a WHOIS lookup. Namecheap has since taken it down. It now has an NXDOMAIN status, which essentially means it doesn't exist anymore. The bad guys use newly created domains to pass most security software tests, allowing phishing emails to slip past corporate defenses and into hapless recipients' inboxes.
At the bottom of the fake page, targets were invited to "play, listen, or download" their voicemail with Office365 credentials. Using the red "Authenticate with Office365" button led to a fake Microsoft login dialog box.
An INKY analyst entered fake credentials into the fake login to assess the site.
The first attempted login received a response that the password was incorrect. The second attempt elicited a bogus error message.
However, the credentials were harvested both times on the backend. This pattern, the double ask, is fairly common. It's not entirely clear what the phishers are up to, but it's possible that they want the victim to confirm the correctness of the data or that they hope the victim will try a different account, yielding them two sets of credentials for the price of one.
INKY reported this flurry of phish to Verizon's firstname.lastname@example.org address.
“Although this particular campaign is over, anyone receiving a similar email in the future can report it to that address with their name and account and phone numbers,” INKY claimed.