100 channels and nothing on, except TV Licensing phishes
Credit to Author: Christopher Boyd| Date: Tue, 25 Sep 2018 09:00:00 +0000
We’ve seen a lot of people referencing fake TV Licensing emails they’ve received over the last few days. The majority so far appear to be fake refund notices, asking potential victims to log in to a phony TV License website and provide payment details for refunds. It’s definitely keeping customer support busy:
Click to enlarge
Many of the URLs we’ve looked at are down now, but not all, so we thought we’d take a look.
The scam pages are what we’d describe as functional; a fairly accurate depiction of what one might expect to see on a genuine refund page hosted on the TV Licensing website. In this example, the site claims the visitor is owed a £147 refund, though there are variable amounts quoted in the scam mails, as we’ll see later.
Here’s one of the scam sites in question, located at:
tv(dot)licensing(dot)secured(dot)ref(dot)pbmsim(dot)com/tv-secure/
Click to enlarge
Alongside the usual personal information scammers like to obtain, the site wants both card details and bank account information, which could result in extended discussions with the bank afterwards to get everything straightened out. They also ask for mother’s maiden name, presumably for additional social engineering attempts further down the line (or even just a general grab for a password reset answer).
As with many of these scams, the site claims the victim needs to give “two to three days” to allow for the refund to be processed. This is a tactic as old as the hills to give the scammers enough breathing room to do their damage while the victim does nothing, eagerly awaiting a refund that’s never going to arrive.
General observations
A lot of the sites finding their way into people’s inboxes may not be from the same campaign, and as a result, they’re all doing many different things. Below, we’ve tried to pin down some of the common patterns we’ve seen from this spam blast.
1) Some of the sites currently bouncing around have a copyright notice of 2017, whereas the rest say 2018. While this probably isn’t enough to tip someone off that the site they’re looking at is a fake, it might help tip the balance for some.
2) We haven’t seen any HTTPs sites (yet), but that doesn’t mean they’re not out there. This is the part where we gently remind everyone that phishing pages can and do make use of HTTPs to make things look more legitimate, and given the amount of free certificate services on offer, it’s not exactly difficult to achieve. Here’s what you see on the non secure site up above from our example:
Click to enlarge
3) Refund amounts and deadlines listed in the mails vary widely. We’ve seen a few people complaining about phishing attempts in the region of £124.50, with 30 September being given as the deadline to process any refund requests. The longest deadline time we’ve seen is “2 to 4 weeks,” which is an incredibly long time for a scammer to assume a potential victim will still be waiting around for their money.
The largest fake refund amount we’ve seen cited so far is a whopping £492.57. Given that a colour TV License costs somewhere in the region of £150, there’s no possible way someone could be owed close to £500 for a year’s worth of TV Licenses unless something had gone massively wrong.
4) The sites look similar, but don’t follow a uniform template. Below is one (now offline) example, which looks quite a bit different from the one up above, separating the various requests for information onto separate pages.
Click to enlarge
5) There’s also been a few mentions of dubious PDF attachments on Twitter, but so far no word as to if they’re loaded with malware or simply an additional part of the phish. Some scammers will attempt to make their missives look more legitimate with fancily thrown together PDFs to give everything an extra veneer of “this is definitely the real thing.” Just because an attachment is present, doesn’t necessarily mean it’s an infection file. (Of course, we’d never advise opening one to check.)
Final thoughts
This isn’t an overly complicated scam, but then again, it doesn’t need to be. Asking for a few hundred pounds from people here and there quickly adds up, and fear of not paying your TV License on time is almost something of a panic reflex for the British. It makes sense, then, for scammers to take advantage of people’s wariness and thank their lucky stars for a too-good-to-be-true license refund.
If you’re worried, check out the TV License website’s advice on phishing scams, and be wary of any emails claiming to offer up cash, no matter the amount. There’s a good chance the missive in front of you needs to be deposited where it belongs: in the recycle bin.
The post 100 channels and nothing on, except TV Licensing phishes appeared first on Malwarebytes Labs.