Welcome to our October 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a social engineering scam targeting an employee at the financial tech firm Revolut, the consequences of that attack, and – in more positive news – Microsoft’s improvements to phishing protection in Windows 11.
Fintech firm Revolut caught out by “highly targeted” scam
Revolut was recently targeted by a cyber criminal, who gained unauthorised access to clients’ personal data.
Few details have emerged about how the attacker compromised the organisation, but it is believed to have been a “highly targeted” social engineering attack. This suggests that a senior employee was tricked by a spear phishing or whaling scam.
These are types of social engineering attacks in which a fraudster targets a high-level employee, with a tailored message based on information they can find online. The attacker might, for example, search social media to find the name, email address and job title of a company director.
According to the breach disclosure to the State Data Protection Inspectorate in Lithuania – where Revolut has a banking licence – 50,150 customers were affected.
The information is thought to include customers’ full names, email addresses, postal addresses, phone numbers and account details.
Despite the scale of the breach, Revolut has downplayed the damage. A spokesperson said:
“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted.”
Initial reports suggested that some customers’ payment card data was also compromised, but Revolut has since denied this. “Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal,” the spokesperson added.
The fintech firm also clarified that the types of compromised data vary for different customers, but it is confident that the most sensitive forms of information, including PINs and passwords, were not accessed.
Further headaches for Revolut
Soon after Revolut disclosed that it had been breached, customers began reporting that they were being sent suspicious text messages.
Cyber security researcher Graham Cluley shared several of the messages that he received, which claimed that his account had been frozen.
Source: Graham Cluley
Cluley was sent several messages encouraging him to follow a link to ‘https://frozen-revolut.com’. The texts said that he must follow the instructions on that page to avoid restrictions, and in one message, because his identity was no longer verified.
It’s likely that the messages are a direct result of the recent data breach, with the attackers using the compromised personal details to target Revolut customers.
However, it’s possible that an opportunist fraudster is spamming phone numbers knowing that at least some of them will be Revolut customers.
You often see cyber criminals use newsworthy events as the basis of scams. In this case, the fraudsters hope that recipients will have seen that Revolut was hacked and assume that this message is in response to that.
Using a current event as the pretext of a scam like this lends it a sense of legitimacy; their bogus message doesn’t come out of the blue and there are independent reports that indicate that Revolut could have frozen users’ accounts.
Another level of sophistication in this scam is that the fraudsters paid for an ‘https’ domain. Many people believe that this indicates that a URL is genuine, but it simply means that traffic sent to the site is encrypted.
Most legitimate websites use ‘https’ for security purposes, so any website without such a domain should be viewed with suspicion. However, the opposite isn’t necessarily true; not all websites with an ‘https’ domain can be trusted.
Cyber criminals don’t usually bother purchasing an https domain, because they want to reduce costs and the bogus website won’t be live for long.
What gives the URL away as bogus is the domain name, which in various iterations of the scam is ‘frozen-revolut’, ‘revolut-in’, ‘revolut-gb’ and ‘revolut-email’.
Any genuine correspondence from the organisation would come simply from ‘revolut’, with additional details in the subdirectory – for example, ‘https://revolut.com/frozen’.
Meanwhile, Revolut said that it will never send customers a link to a website and ask them to enter sensitive information, such as a password or PIN code.
Microsoft boasts of improved phishing protection in Windows 11
The latest version of Windows 11 (‘22H2’) introduces a feature in its Defender SmartScreen tool that aims to better protect users from phishing scams.
Microsoft says that the technology can detect whether an app or website has a secure connection whenever a user tries to log in.
“Not only are attackers motivated and creative, but their attacks are growing more and more sophisticated,” wrote Sinclaire Hamilton, a product manager at Microsoft, a blog post. “Attackers don’t break in, they log in.”
“That means admins can know exactly when a password has been stolen and be equipped to better protect your organization,” Hamilton added.
If the tool detects an insecure connection, Windows lets users know – both that the site is potentially untrustworthy and that they need to change their passwords. It also automatically alerts administrators through Defender for Endpoint.
“When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack as well,” Hamilton wrote.
The enhanced phishing protection feature is among several security capabilities available in Windows 11 version 22H2, which was introduced last week.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.