A phishing scam disguised as a Citibank website was identified by MalwareHunterTeam earlier this week. The threat was swiftly removed from the Internet, with the domain disappearing within 24 hours of its discovery.
This scam was fairly convincing. It used an Internet domain name that could easily be associated with Citibank, plus a valid SSL certificate and even a requested an MFA code from potential victims – all of which provided the appearance of a legitimate page.
According to multiple professionals, this may be the first instance of a phishing scam triggering MFA codes and requesting them from victims.
Welcome to 2020. Phishing scams continue to become more intricate and will use increasingly convincing assets and procedures to lure victims into providing their personal information – and this is a trend that will continue.
While there are common ways to detect a phishing scam, existing methods are becoming much less effective due to evolving techniques to bring a sense of trust to scam sites.
Secure and trusted mean different things
We’ve largely been taught to associate the use of SSL certificates with a sense of trust when browsing the web. SSL certificates are used to secure information in transport between a browser and server – but do not guarantee trust.
An SSL certificate can be issued for any Internet domain, and the existence of one provides no guarantee that you’re communicating with a trusted source. It simply indicates that the transmission between your device and the server is encrypted.
One domain to rule them all?
Several recent phishing attacks, much like this one posing as Citibank (and others we’ve had first-hand experiences with,) use Internet domains that are convincing to their potential victims. They contain either the company’s name or words that are related to a service being provided, lending to their guise of legitimacy.
If it’s so easy to register a domain name, how can their use for malicious purposes be limited? While that isn’t a question that is easy to answer, there are likely simple ways for corporations to limit risk to themselves and their customers. One possible solution is to begin using subdomains of a main corporate domain instead of creating entirely new domains (as anyone else can.)
For instance, if Citibank were to take an approach like this, they could also inform their customers not to trust any websites that aren’t citi.com or subdomains like loans.citibank.com. Is this a foolproof solution? Absolutely not as DNS-related attacks would come into play, but at least migrating sites under their main corporate domain would help weed out scam websites with ease.
No business, particularly with an established online presence, is immune to this sort of malicious activity. Are you concerned that your existing security measures may not be adequate? Download a free copy of our latest guide, 8 Ways to Prevent Your Business from Being Hacked, or give us a call today.