When criminals hijack your brand for phishing

IBRS
By James Turner, Advisor, IBRS
Thursday, 08 December, 2016


When criminals hijack your brand for phishing

While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve those organisations of all responsibility. Crime on the internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.

Australia Post, Telstra, AGL, State Revenue Office, banks and many other Australian organisations have had their relationships with their customers abused by criminals in recent years. Naturally, the criminals use high-profile brands to lure their victims. It works like this:

  • The criminals craft a phishing email that usually includes the logo and corporate colours of the organisation they are misrepresenting themselves as;
  • They use a global network of compromised servers as the mail server to send out the phishing emails (email addresses are usually harvested from big breaches, eg, LinkedIn, Dropbox, Yahoo, EBay, Ashley Madison);
  • The phishing email then asks the victim to click on a web link. The link is usually to organise for collection of a parcel, verify bank details, verify a credit card purchase and so on;
  • The link takes the victim to a website that uploads ransomware to his or her computer and encrypts the data so that the victim can be blackmailed to get it back; OR, The website pretends to be the organisation’s website and asks for verifying credentials, such as personal details, credit card details or login credentials to the actual site (this may then be used by the criminals to execute transactions with the victim’s credentials).

Depending on the security resources of an organisation, it may be among the first to know it has been used as the lure in a phishing campaign. Or, it may find out when legitimate customers start calling to complain about the ransomware, or what the customer may feel was a bad customer experience (because it was not with the actual organisation).

It is important to keep in mind that this issue has a technical component, but it is not an IT problem. It is an age-old confidence trick, brought into the age of the internet.

When an organisation is used as a lure to attack victims, its exposure has been: the misappropriation of the organisation’s logo, corporate colours and even web page style; and potential abuse of a flawed business process between the organisation and its customers. This happens if the customers are accustomed to getting:

  • Emails from the organisation that are typically promotional and ask the recipient to “click here” to claim a prize, login, register, etc.
  • Calls from the organisation where the outbound call centre staff ask the customer they have called to authenticate themselves. This process is considered to be very poor practice and is recognised as training the customers to be easy victims.

There’s also the potential for compromise of customer records. This is the least likely option, as most ransomware and phishing scams are usually scatter-gunned across as many people as possible, hoping that a percentage will be both legitimate customers AND will fall for the scam.

Takedown services are available from a range of vendors, but leading Australian CISOs note that the cost to engage third parties to take down phishing sites can escalate very quickly, as there may be thousands of sites, with phishing campaigns that can last for lengthy periods of time. Also, it is very easy for criminals to quickly set up new attack sites should one be taken down.

It is vital from a brand perspective, in the maintenance of a trusted relationship with customers and the market, for an organisation that has been hoaxed to get out quickly and communicate with the market that the brand is being abused.

The wording needs to be created by the organisation’s marketing people, and they will want IT’s advice on specifics. It may be easiest to emulate how some of the banks communicate with their clients, eg:

  • “Security notice: NAB will never request personal information such as your PIN/password or ask you to login to online servicing directly from an email.”
  • “Security notice: ANZ will not send you an email or SMS asking you to verify or provide Account Details, Financial Details, or login details for ANZ Phone Banking, ANZ Internet Banking or ANZ Mobile Banking.”

While an organisation that is being hoaxed may not itself be the victim of a crime, it is still important that organisations report these scams. Some reporting options include:

  • Scamwatch, run by the Australian Competition and Consumer Commission. Scamwatch puts out alerts on new types of attacks against consumers and businesses, but does not notify the public about specific instances where a brand has been hijacked.
  • ACORN (the Australian Cybercrime Online Reporting Network) was created to be a source of information on how to avoid and/or recover from various cybercrimes. Note that some security executives have commented that informing ACORN of a cybercrime does not appear to produce any outcome, yet.
  • Stay Smart Online, run by the Attorney-General’s Department and through collaboration with many of the security awareness teams in Australia’s largest organisations. Stay Smart Online has an alert service that is distributed to people who have provided their email addresses, and this has alerted users to hoaxes against specific brands (eg, Telstra, Australia Post). Stay Smart Online is a good resource to which concerned customers can be pointed, as most organisations will not want to have their call centres evolve to provide home computer security support to customers.

Experienced organisations have found that it is useful to have a mechanism set up for customers (and staff) to report hoax emails and calls. This can be an email address such as hoax@<domain> or scams@<domain> or spoof@<domain> and it is worth noting the following:

  • Be aware that malware samples will be sent to this address, so the people receiving these sample emails must have the ability to deal safely with this malware.
  • Ensure that wording describing the hoax/scam email service does not guarantee that the organisation will respond to every email, but an automated response should be set up to signify that the email was received.

Finally, it is imperative that the external communications team understand that the current phishing phenomenon will continue as long as it remains lucrative for criminals, so organisations must do what they can to help protect their clients. Typically, this will mean changing the customer communication engagement model. Phishing is a foreseeable risk and should be responsibly prepared for.

James Turner is an IBRS Advisor who specialises in information security, data centres and cloud and mobility security. He has more than a decade of experience in enterprise IT security and data centres, including as Frost & Sullivan’s analyst for IT security. He is chair of the Australian Information Security Association’s Advocacy Group.

Image courtesy Widjaya Ivan under CC

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd