Since this April, Cofense Intelligence™ has observed a sustained increase in the financially motivated targeting of UK-based users with phishing lures imitating HMRC, Lloyds Bank, and HSBC. The most common final payloads delivered by these campaigns are designed to compromise victims’ financial accounts and provide illicit access to financial information. This surge in targeting almost certainly represents a stage in the “whack-a-mole” strategy long employed by threat actors: expand campaigns against a segment of the vast vulnerable attack surface until those users catch on to the threat, then move to the next target.
Trickbot, Pony, and Loki Bot comprised the majority of final payloads delivered in the distinct campaigns analysed. While the appearance of authenticity of the phishing emails differs among the campaigns, indicating that different groups of threat actor, these types of malware are almost certainly leveraged for similar objectives — to provide threat actors with financial information and access to accounts to facilitate theft.
Aaron Higbee, CTO and cofounder at Cofense comments:
“Financially themed phishing scams give threat actors a number advantages when it comes to compromising security. Internet users pay attention because banks and tax authorities play an official role in our day-to-day lives and their services often incur costs. What’s more, the type of information these institutions need can be sensitive, from username and passwords to information regarding an account, it feels much more acceptable for a financial institution to be requesting such information than another type of company. By adding additional, local relevance – for example the UK tax authority and two of the most prominent banks in the country – malicious emails can easily be mistaken for legitimate correspondence. In these cases, threat actors are using social engineering within phishing attacks to still target a very large number of potential victims.
“With many of the phishing campaigns targeting corporate accounts, businesses need to equip their employees to be as resilient as possible to this type of attack. Encouraging employees to report suspicious emails, to think twice about if an email is unsolicited and be extra cautious where financial details are concerned, is the first step to reducing susceptibility and building resiliency. What’s more, by reporting emails, the IT team is also quickly able to gather threat intelligence and begin the response process. As multiple threat actors continue to use similar techniques to deliver a multitude of malware variations, no technology can guarantee prevention. However, by making employees as security savvy as possible, companies have a constantly improving threat detector within their cybersecurity infrastructure.”