Catches of the month: Phishing scams for September 2021

Welcome to September’s review of phishing scams, in which we look at criminals’ latest tactics and provide examples of successful frauds.

This month, we review a pair of phishing campaigns centred on sex-related offences.

Criminal hacker breaks into iCloud accounts to find pictures of naked women

Last month, a Los Angeles man pleaded guilty to computer offences after breaking into people’s Apple iCloud accounts to steal private photos and videos of naked women.

The Los Angeles Times reported that Hao Kuo Chi accessed at least 306 accounts and more than 620,000 files by impersonating Apple customer support staff in emails.

Chi said that many of the accounts he hacked were at the request of people he met online, where he advertised his services using the moniker “icloudripper4you”.

His scam is similar to other Apple-related phishing campaigns, in which fraudsters send emails mimicking Apple’s security team and request that recipients follow a link to log in to secure their account.

However, recipients are directed to a mock-up of the iCloud login page, and when they enter their credentials, they are handing the information to the attacker.

As a result, he managed to trick victims into providing their Apple IDs and passwords, allowing him to download their data.

This is what Apple ID scams typically look like (source: HackRead)

What is different about Chi’s attack is that he targeted specific people at the request of paying customers.

As he knew each target’s name and email address, Chi was able to tailor his messages.

This meant he could address each recipient by name, rather than relying on a standard greeting such as “Dear customer”, which is often a giveaway of a scam.

Chi pleaded guilty to four felonies, including conspiracy to gain unauthorised access to a computer. He faces up to five years in prison for each of the crimes.

Test your employees’ ability to detect a scam

Our Simulated Phishing Attack service sends your employees a mock phishing email without the malicious payload.

This gives you the opportunity to monitor how your employees respond. Do they click a link? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?

Europol warns of sextortion scam

Europol is at the centre of a phishing scam designed to capture people’s financial information.

The law enforcement agency has warned that scammers are impersonating its executive director, Catherine De Bolle, in message that accuses the recipient of sex offences.

The email says, the scammers wrote:

At the request of Ms. Catherine De Bolle, Commissioner General of the Federal Police, elected to the post of Director of Europol — Brigade for the Protection of Minors (BPM), we are sending you this invitation. […] We are initiating legal proceedings against you for child pornography, paedophilia, exhibitionism, cyber pornography and sex trafficking.

Recipients are instructed to reply within 72 hours. If they fail to comply, the scammers threaten that:

[W]e will be obliged to send our report to the deputy prosecutor at the high court in Créteil [a suburb of Paris] and a cybercrime specialist to establish an arrest warrant against you.

The objective of the scam is to get the victim to make a payment using PayPal, claiming this is the only thing that will clear their name and prevent their arrest.

The message is what’s known as ‘sextortion’, in which a criminal hacker claims to have footage of the victim watching or performing (often inappropriate) sexual acts and demands money not to release the evidence.

While sextortion attacks typically come from an anonymous source, this attack is unusual in that it very clearly purports to be from Europol.

As improbable as this seems – Europol emails you to let you know that they’re charging you for a crime, giving you the opportunity to wipe any hard drives ostensibly containing the offending data – we’ve seen time and again that people can panic in the heat of the moment.

This is particularly true of sextortion scams, whether that’s because people have guilty consciences or they fear that an attacker could fabricate evidence.

Indeed, this particular phishing scam is proving successful. Europol warned about it in April, which suggests that enough people must be falling victim if the attackers have decided to try again.

It again demonstrates that we are all vulnerable to scams, and if we are to protect ourselves, we mustn’t become complacent.

Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.

No Responses