Access to Innovation
Access to Capital
Access to Talent
Access to Market
Access to Knowledge
Date Trend snippet:
17 September 2021
Relevance date:
2021
Type of Treath or Oppertunity
Domain of application
Source of threat
Victim
- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: Criminals develop a more targeted style of phishing in The Netherlands
Trends in Security
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Criminals develop a more targeted style of phishing in The Netherlands
Researchers of Group-IB's CERT-team have recently discovered a new and technologically advanced phishing-campaign which has been employed widely throughout the Netherlands. The campaign was explicitly designed to avoid recognition and attention from cyber security experts. It is thus far more effective at reaching potential victims than traditional phishing campaigns. The fact that cybercriminals have begun adopting this method is a clear indication that the threat actors and their phishing campaigns are continuously evolving. Hence, it's really important to constantly study cybercriminals' TTPs.
More source info
Group-IB analysts identified multiple phishing websites impersonating Dutch financial organizations that are part of a single network of more than 750 connected domains. The phishing infrastructure was first seen in March 2021 and remains active until today. The campaign was codenamed RUNLIR by Group-IB researchers, as it uses RU, NL and IR in the domain naming pattern. As part of the analysis, Group-IB researchers also observed a very unconventional "Cut the card" phishing scheme that requires fraudsters' efforts both online and offline.
RUNLIR uses the combination unique for the Netherlands that involves the BlackTDS anti-bot service, the notorious bulletproof hosting services of Yalishanda and different versions of the uAdmin phishing kit. This approach ensures that their phishing pages are only shown to victims and not to security professionals. The approach, discovered by Group-IB CERT analysts, is new and has not been seen in phishing attacks in the Netherlands in the past.
The specialized 'Cut up your banking card' scheme observed by Group-IB researchers, typically has 5 steps. The victim count is unknown, however, according to Dutch media reports local residents fell prey to a variation of the scheme in June 2021. Below you can find a step-by step guide into the phishing scheme.
The initial vector is smishing. The victim receives a rogue SMS impersonating a local organization, which warns the users that their banking card expires soon, and that they need to follow the link in order to prevent blockage. The unsuspecting victim is requested to provide their banking information, including the e.dentifier response token. The e.dentifier is the physical token tool used by the customers of Dutch banks to generate a secure token, which must be used during the login process. Once the cybercriminals have logged in with the stolen token, they will be in full control of the customer's banking account. In the online banking account, they can see the amount of money the victim has, and they are able to find additional information, such as addresses. After the response token is sent to cybercriminals, the phishing website prompts the victim to share all the personal data, including their name, full address, postal code, DOB, phone number, and email address. Phishers often request more information than the minimum that is required. Thus, the crooks have higher chances to capitalize on it by selling the data on the dark web, for example. This information also allows the criminals to perform a quick scan on the web to obtain a photo of their victim, which, if needed, can be used in their attack. The criminals then ask the victim to share the PIN number of their existing bank card to use it to steal money later. In the following step, the victim is instructed to cut the card in two; the cut has to be made through the center of the card. In fact, this step actually does not disable the functionality of the payment card as the chip itself remains untouched. The victim is then requested to provide a 'time' at which a 'banking employee' can come to pick up the card that has been 'cut in two'. This "employee" will come to pick up the card that has been cut in half. This card, of course, remains functional.
At the end of this scheme, the cybercriminals have all of the information needed to login and abuse the victim's bank account. The card of the victim can be fixed by simply using some tape, and, as the crooks have access to their bank account, they can come and pick the old card from the victim's physical mailbox.
They are also able to request a new bank card. Just like with a card cut in half, the crooks can get the bank card to the victim's address and pick it up once it has arrived. They will wait for the delivery, and once the card has been delivered, the criminals will force themselves into obtaining the newly sent card.
The RUNLIR campaign utilizes the following services to block unwanted visitors from their phishing websites and increase the likelihood of successful phishing attempts:
BlackTDS
● They require the browser's user-agent to be a mobile user-agent
● They require the visiting IP address to connect from a mobile network
● They can detect the referrer URL and take action based on that.
● They make use of available domain patterns
Yalishanda
● Infamous bulletproof hosting service that hinders takedown efforts significantly
Phishing Kits
● Various versions of the U-Admin phishing panel, that allow cybercriminals to interact with the actual phishing site in real time and are used to collect and manage the stolen user data
Here are some steps that regular users can take to better protect themselves against these types of threats.
- Do not click on links that you are not 100% confident are real
- Double check that URL of a website is the official one before you submit any information
- If you think you may have been a victim of a phishing attack, quickly get in contact with your bank, the organization being impersonated by the fraudsters, and the police. They can issue an alert, which may ultimately raise awareness and reduce the victim count.
- Keep in mind that usually official organizations do not use common URL shorteners, so links leading to bit.ly, s.id, tny.sh and others, should be treated with suspicion. You should double check the final destination.
- Always use your official banking application on your mobile device.
- Report any identified phishing emails or SMS to CERT-GIB, fraudehelpdesk.nl, or scamadviser.com. These reports help cybersecurity professionals to investigate and take action against fraudulent websites, in addition to helping protect other victims.
