In the latest example of brandjacking, this evening we are seeing a run of phishing emails impersonating major retail brands. The criminal emails are leveraging several different compromised MailChimp accounts to bypass traditional email scanning software, and then using the power of major household name brands to entice users to click.
Despite being simple HTML emails that are emanating from the compromised MailChimp accounts, the emails are well formatted and could be easily mistaken for the real thing by unsuspecting recipients. Carrying links that redirect to a survey page, they ultimately lead users to a phishing page to steal their credentials and to deliver adware.
As you can see in the following samples, the display names are either the brands that are being impersonated, or an individual. For example, Aldi, or Bunnings Team, or Natalie Sands. The emails are also personally addressed to the recipient, by either first name, or first and last name, which adds to the integrity of the scam.
Recipients are offered the reward of a $1,000 or $2,000 gift card if they click through to complete the survey.
We anticipate that this latest attack may yield a high click-through rate for the criminals behind the fraud, as the mechanism for the scam is simple and easily confused for representing major Australian brand names that will be very familiar to users checking their inbox in the late hours of the evening, or early tomorrow morning.
At the time of detection, and indeed at the time of writing, MailGuard are unaware of any other email security services that are stopping this threat.
At MailGuard, we see criminal-intent emails like this daily. Cybercrime of this sort, where cybercriminals create a fake phishing page that looks like a well-known company is known as ‘brandjacking.’ The criminals behind these attacks use the well-known names of big companies to lull their victims into a false sense of security. These attacks have a high success rate for cybercriminals, because they leverage the trust we place in names like PayPal, Netflix and Microsoft to trick victims.
Although brandjacking messages like these are often very convincing, there are a few tell-tale signs users can look for to identify a criminal-intent email:
- Generic greetings, such as ‘Dear customer’
- A sense of urgency: “Ensure your invoice is paid by the due date to avoid unnecessary fees”
- Bad grammar or misuse of punctuation and poor-quality or distorted graphics
- An instruction to click a link to perform an action
- Obscure sending addresses that don’t match the real company’s domain URL
- If in doubt, type the web address (URL) directly into your browser rather than clicking the link, or better still phone the company.