Welcome to our November 2023 catches of the month feature, which examines recent phishing scams and the tactics criminals use to trick people into compromising their data.
This month, we look at a recent phishing attack on Booking.com, an NCSC warning about Black Friday scams, a Google Cloud report into how AI will drive phishing in the future, and a Europol and Eurojust takedown of a phishing gang.
You can find everything you might want to know about phishing on our website.
Booking.com confirms phishing attack
Booking.com has apparently confirmed what the information security press has known for some time: another phishing campaign has been targeting its users and trying to steal their credit card information.
According to JD Supra, Booking.com confirmed in a “limited statement” on 12 November that it was investigating the incident. However, although officially acknowledged details remain scant – as yet, there is no notice on Booking.com’s website – the campaign has garnered considerable press coverage over the past few weeks.
It started nearly two months before Booking.com’s statement, on 14 September, when Perception Point researchers reported that they’d observed a number of phishing campaigns targeting hotels and travel agencies.
The attacks began with emails sent to hotel employees, which manipulated them into clicking a malicious link that downloaded infostealer malware on to hotel systems. Once the victims had been infected, the attackers exfiltrated customer data.
On 22 September, BleepingComputer reported on the campaign’s next stage: the attackers used the compromised customer data to send personalised phishing emails “disguised as a legitimate request from the now-compromised hotel, booking service, or travel agency”.
These messages asked for “an additional credit card verification” and gave the recipients a limited time to respond. The URL provided pointed to a malicious site, designed to capture victims’ financial data.
One of the targets was the security researcher Graham Cluley, who blogged last month about being on the receiving end of a phishing message that was addressed to him personally and sent via the official Booking.com app.
The message told him that his forthcoming hotel booking had been cancelled and that he had 12 hours in which to follow a link to “booklng.com” (note the ‘l’ in place of the ‘i’) to re-enter his card details.
Recognising a scam, Cluley reported the issue to Booking.com, which sent him an email acknowledging “fraudulent behavior” and providing some boilerplate security advice.
If you receive a message ostensibly from Booking.com, urging you to provide your credit card details, don’t comply. Instead, contact Booking.com directly.
Black Friday means phishing attacks as well as bargains
The NCSC (National Cyber Security Centre) has warned shoppers to beware of phishing campaigns and online scams purporting to offer Black Friday bargains.
This is hardly a new concern – attacks increase significantly between mid-November and Christmas every year – but the increasing popularity of generative AI (artificial intelligence) makes the problem particularly acute this year.
Phishing emails created by people tend to have misspellings, grammatical errors and other telltale mistakes that reduce their credibility and enable recipients to spot phony content. However, generative AI eliminates these basic errors, making it easier for attackers – even those with limited resources – to create convincing emails.
The NCSC’s chief operating officer, Felicity Oswald, said:
“As we enter the Black Friday and festive shopping period, online shoppers will naturally be on the lookout for bargain buys.
“Regrettably, cyber criminals view this time of year as an opportunity to scam people out of their hard-earned cash, and the increased availability and capability of technology like large language models is making scams more convincing.
“I would urge shoppers to follow the steps in our online shopping guidance, which includes setting up two-step verification and using passwords with three random words, so they’re easier to remember and harder to hack.”
Google warns of increase in AI-enhanced phishing attacks
Meanwhile, a new report from Google Cloud supports the NCSC’s concern about AI-enhanced phishing attacks, forecasting a step change in how phishing campaigns are conducted, thanks to the growing popularity of generative AI and LLMs (large language models).
According to Google Cloud’s Cybersecurity Forecast 2024, as well as making it far more difficult for recipients to identify phishing emails and messages, generative AI and LLMs will allow attackers to easily execute campaigns at scale, targeting large sets of people with “very personal, tailored, convincing emails”.
“LLMs will allow an attacker to feed in legitimate content,” Google says, “and generate a modified version that looks, flows, and reads like the original, but suits the goals of the attacker.”
The NCSC and Google’s warnings should come as no surprise to anyone who has followed the rise of ChatGPT and other generative AI models in the past year or so.
Indeed, recent research from Deep Instinct (Generative AI and Cybersecurity: Bright Future of Business Battleground?) found that “75% of security professionals witnessed an increase in attacks over the past 12 months, with 85% attributing this rise to bad actors using generative AI”.
The more plausible phishing messages become and the better they are at evading both technological cyber security controls and the vigilance of well-trained employees, the greater the need for layered cyber defences: a defence-in-depth approach to cyber security ensures that even if an attack is successful, its impact is limited and the organisation’s recovery is timely and effective.
Europol and Eurojust take down phishing gang
Finally, some good news: an international operation between the Czech and Ukrainian police, with the support of Europol and Eurojust, has disrupted a phishing operation thought to have defrauded victims of tens of millions of euros across Europe – and beyond.
Six suspects were arrested in Ukraine and four in the Czech Republic in April, and mobile phones, SIM cards and computer equipment were seized.
According to Europol, the criminals carried out vishing (voice phishing) attacks from call centres in Ukraine, posing as bank employees to pressure victims into transferring money from their supposedly compromised bank accounts into ones the criminals controlled.
Can you spot a phishing scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.