Experts analyse 'greedy' new Kanye West inspired phishing attack

Mimecast uncovers the various methods used by new scam to steal your personal data and credit card information

Email security firm Mimecast have analysed a new phishing attack found by Computing, which attempts to steal personal and credit card information.

The attack begins with an email claiming that the user has purchased a Kanye West song on Apple iTunes (below - email address partly obscured to protect intended victim's privacy).

The email goes on to say to cancel the payment the target needs to click on a link purporting to be a payment cancellation form, which instead leads to a sequence of fake login pages designed to harvest their iTunes credentials.

The attack starts by taking the target to a fake Outlook webmail login page, then to a fake Apple ID login page that asks for lots of personal data, including date of birth and address. The likely purpose of collecting this data is that it can be used for password recovery mechanisms for other websites as well as to make fraudulent payments more likely to be accepted by fraud detection engines.

Finally - under the header of why not keep bilking the victim while you are at it, they are taken to a fake bank verification page designed to steal credit card numbers.

Mimecast researchers highlighted that the phishing campaign is using two different domans to host the backend of their attack:

• conundrumsolutions.ca - looks legitimate and has no history of malicious activity. It is using a Wordpress CMS that is highly likely to have been compromised.
• tech5support.update84acc.co.uk - appears to have been registered recently (November 13). The domain has no history, which itself is highly suspicious and indicates it's directly controlled by the cybercriminals. The site was running from Germany.

Matthew Gardiner, cybersecurity strategest at Mimecast, said: "Crafty email social engineering and well-spoofed login pages are at the heart of this greedy phishing campaign. As part of the campaign, the cybercriminal has likely hijacked a legitimate website to help ensure their phishing emails get through traditional email defenses, which often rely too heavily on blacklists.

"A key way to defeat this type of attack is to ensure all links in emails are rewritten to point to a cloud security service which acts as a security proxy. This ensures that there is a real-time check on every click. This approach can defeat most attacks irrespective of the user's device, which depend on taking the target from an email to a poisoned website."

This scam was initially seen on the intended victim's iPhone. It was verified as a phishing attempt by checking the email on a Windows-based computer, by holding the mouse over the 'Payment Cancellation Form' URL in the original mail. That revealed the compromised 'tech5support' address, rather than the expected Apple domain, showing the mail to be a scam.

It was then sent on to Mimecast for analysis. The email security firm analysed a previous scam found by Computing, which also attempted to steal financial information.