Spammers Get Better at Impersonating Banking Services, Use Lingo and Legit Layouts to Con Victims

E-mail-based attacks mimicking well-known financial institutions and online payment services have surged over the Halloween and Black Friday season, as cybercriminals continue to leverage restrictions brought on by the pandemic.

Although coronavirus-related email messages dominated phishing campaigns throughout the year, the uptick in digital transactions, online shopping and the online management of individual finances have created given cybercriminals new advantages.

A series of phishing campaigns posing as online banking services marred the second half of 2020, according to the Bitdefender Antispam Lab:

  • September 20 – 38.08% of all incoming emails relating to banks and financial services was marked as spam
  • October 25 – nearly 6 in 10 emails (58.84%) relating to the banking industry were fraudulent
  • November 29 – 30.7% of all received emails appearing to come from popular financial institutions was spam

Many of the fraudulent emails mimic legit correspondence sent by actual banks. They contain real logos, specific layouts and even industry lingo, making it harder for recipients to notice the red flags, especially when accessing the message from a phone or tablet.

However, most of the spam messages transmit a sense of urgency, asking users to quickly either share personal or financial information, download a document or attachment, or click on links to resolve a security issue.

Here are some of the most significant spam and malspam campaigns leveraging customers of prominent financial institutions in the past two months:

Standard Bank

Customers of the South African bank were targeted in three major spam campaigns between October and November 2020. On October 7, 97.76% of incoming correspondence claiming to be from Standard Bank was fraudulent. Additional campaigns were picked up on November 26-27, when 87.96% and 90.64% of the correspondence was marked as spam.

Sample 1. Standard Bank phishing email

Sample 2. Standard Bank phishing email

Bank of America

Bank of America customers were targeted by scammers in a significant phishing campaign on October 17, when nearly 5 in 10 emails (48.54%) posing as legitimate correspondence from the bank were flagged as fraudulent.

In one phishing scenario, customers receive a security alert from the bank, which prompts them to verify their account and prevent unauthorized access to their online profile. Users can easily fall for this ruse, since many online companies have engaged in additional security measures and tools to prevent data breaches and restrict access to personal and financial information of customers throughout the year.

In a separate version of the scam, customers receive a message alerting them that their debit card has been deactivated due to an undisclosed number of transactions. After setting the bait, users are asked to follow a link and enter their account and card information to reactivate it.

Sample 3. Bank of America phishing email

Sample 4. Bank of America phishing email

Sample 5. Bank of America Phishing email


A three-day spam campaign targeted HSBC Bank customers on November 26-28 (Black Friday weekend), when more than 97% of all incoming emails indicating they were from the British multinational banking and financial services organization were malicious or fraudulent in nature.

In two versions of the scam, cybercriminals tempt users to download attachments containing information on a wire transfer. By accessing the document, recipients infect their device with info-stealing Trojans and ransomware.

Sample 6. HSBC phishing email

Sample 7. HSBC phishing email

Wells Fargo

Wells Fargo customers were also targeted by cyber-crooks in a significant phishing campaign on October 13. According to Bitdefender Antispam Lab, 93.11% of all emails claiming to be from the US financial organization were flagged as fraudulent.

Below is another example of how fraudsters use social engineering to trick users into believing their bank account is locked. While the logo and content of the message may seem legit, a closer look at the sender’s email address confirms that the email is not sent from the actual bank.

Sample 8. Wells Fargo phishing email

Sample 9. Wells Fargo phishing email

La Banque Postale

A noteworthy phishing campaign targeting La Banque Postale customers was noticed on November 18, when 97.69% of all incoming emails associated with Parisian-based bank were marked as spam. The scammers attempt to trick recipients into accessing a link allowing them to listen to an important message received from the bank.  

Sample 10. La Banque Postale phishing email

ANZ and NAB Banks

The names of Aussie financial entities such as Australia and New Zealand Banking Group Limited and National Australia Bank were also used to trick unsuspecting recipients into providing sensitive information.

Scammers sent out emails mimicking the ANZ Internet Banking service in an attempt to steal the login credentials of their account.

Cyberthieves impersonating the National Australia Bank sought to entice beneficiaries to provide personal identifiable information (PHI) such as their passport number and National ID number to receive a transfer of $15 million into an account of their choosing. The fraudsters claim that the users received a payment on behalf of the yearly Coca-Cola lottery, deposited the National Australia Bank until further notice.

Sample 11. ANZ phishing email

Sample 12. NAB phishing email


PayPal was the most mimicked brand in the online payments system services in H2 this year. A global phishing campaign hit Inboxes on October 21, when 8 in 10 emails (80.50%) were marked as fraudulent. All three versions of the scam, sent to English, French and Spanish users, notify recipients of suspicious activity in their PayPal accounts. Fraudsters claim that account use is restricted until customers log in and verify their identity. If recipients click on the Login button, they are re-directed to spoofed websites that steal their login information and compromise their PayPal accounts.

Sample 13. PayPal phishing email US

Sample 14. PayPal phishing email US

Sample 15. PayPal phishing email FR

Sample 16. PayPal phishing email ES

Sample 17. PayPal phishing email DE

Western Union

The famous name of international money transfer service Western Union was also leverage by scammers in two significant phishing campaigns, on October 18 and November 27. 97.39% and 75.12% of all incoming emails using the Western Union name were flagged as spam.

This time, however, users are lured with the possibility of winning a prize from Western Union. No additional information is provided in the body of the message. Recipients are told to download and open the document on their device, which urges them to provide personal information alongside a small fee to claim their prize.

Sample 18. Western Union phishing email

This past year has revealed that bad actors have honed their social engineering skills for maximum effect, tailoring their correspondence to fit every headline and the socio-economic environment shaped by the health crisis.

Every day, thousands of individuals fall for fraudulent emails from cybercriminals pretending to be a bank representative. On top of the financial loses that follow, users may also become victims of identity theft, and malware and ransomware infections that compromise their devices, privacy and well-being.

Hackers Hit Baltimore Yet Again – Ransomware Temporarily Freezes Systems at Major Medical Center

Less than two weeks after an attack on Baltimore County Public Schools, one of the city’s major medical centers has been struck by the same type of malware – ransomware.

Officials at the Greater Baltimore Medical Center said phone lines of some of GBMC’s doctors were down and access to patients’ medical portals were blocked following the attack, according to local station WBAL-TV 11.

In a press release December 6, the healthcare system confirmed it was confronted with a ransomware infection that “impacted information technology systems,” taking some of them offline and freezing some operations temporarily.

“Although many of our systems are down, GBMC HealthCare has robust processes in place to maintain safe and effective patient care. We are collectively responding in accordance with our well-planned process and policies for this type of event,” the center said.

The hospital said it doesn’t believe any patient information has been compromised.

“There is no evidence at this time that any patient information has been misused. We are working with outside experts and law enforcement. Our investigation is in its early stages. We will provide more information as we can,” GBMC said.

Recently, such attacks have been backed by leaks meant to coerce victims into paying ransom. A lack of evidence that data has been copied doesn’t mean it hasn’t happened.

According to the 11 News report, the attackers “may” have sent a notice through a fax machine, with the note obtained by the station reportedly saying that “facility and computers and servers are locked and private data has been downloaded.”

You can also check if your private data has been exposed online! Use Bitdefender’s Digital Identity Protection tool to see where you stand at the moment and what the internet knows about you.

It’s also not uncommon for threat actors to throw around empty words, but it remains to be seen if this is indeed the case.

The announcement names no particular ransomware strain or gang taking credit for the attack. However, the Baltimore County Board of Education – similarly hit at the end of November – and GBMC are said to be less than a mile apart and on the same street.

GBMC also informed patients that some procedures scheduled for Monday, December 7 may be affected.

“All patient’s [sic] whose procedures may be rescheduled have already been contacted,” the center said.

Ransomware operators seem to have an affinity for Baltimore. In May 2019, the city had its servers compromised by a variant of ransomware called RobbinHood. Following that attack, officials devoted a surplus of $10 million toward an emergency ransomware response in the city, after the city refused to pay $80,000 to the attackers.

Ohio Medical Practice Fires Employee Over Patient Privacy Breach

A healthcare provider based in the US state of Ohio has released a statement saying it fired an employee for snooping in on patients’ records, showing transparency amid unfavorable news. Credit card information was not accessed, the practice says.

Mercy Health, a Catholic healthcare provider with locations in Ohio and Kentucky, says the news release is meant “to provide notice about a medical records privacy incident affecting patients who received services” at its medical facilities.

As the story goes, in early October a Mercy employee accessed medical record information that the person didn’t need to do the job. The information included names, addresses, dates of birth, medical record number, treatment and other clinical information and/or radiological images, as well as other demographic information.

You can also check if your private data has been exposed online! Use Bitdefender’s Digital Identity Protection tool to see where you stand at the moment and what the internet knows about you.

The employee did this repeatedly, breaching the privacy (and potentially the security) of several Mercy patients. For a small number of customers, the employee also accessed health insurance identification numbers, according to the notice.

“Credit card numbers and other financial information were not accessed,” the practice says. “The employee who accessed the information no longer works at Mercy,” it adds.

After discovering the breach, Mercy immediately started an investigation.

The provider made “additional enhancements to procedures to prevent a similar incident from happening in the future,” it says.

“Additional education was provided to staff regarding compliance with the organization’s policies and procedures,” according to the press release.

It’s unclear why the employee breached patient data. However, the announcement alludes to an intent to commit fraud, with Mercy urging affected parties to keep a close eye on credit reports and account statements for unauthorized activity.

The provider also tells patients to watch out for phone calls or emails requesting personal information (i.e. phishing), and encourages them to contact consumer reporting agencies to place a fraud alert on their credit report.

Finally, “out of an abundance of caution,” Mercy is offering all affected individuals free identity theft protection services for one year through IDX, the nation’s largest provider of data breach response services.

Happy Holidays, Cyber-Crooks are Coming for You

Winter holidays are all about fun, family and, if we’re lucky, several inches of snow. After one of the most tumultuous years in recent history, in the shadow of a pandemic of biblical proportions, we’d say it’s about time we took a deep breath and a sip of eggnog.

We don’t want to ruin this for you, but December comes with one more test before your well-deserved break: increased cyber-criminal activity as the bad guys try to pocket your hard-earned Christmas gift money. As cyber-crime spikes off the charts, here are some tips to keep you and your dear ones safe.

Keep an eye on your payments

Online shopping has exploded during the lockdown and continues to set new year-over-year records as we approach the winter shopping season. Bad actors will take any opportunity to go for your money and will spare no effort to beat the record $6 TRILLION loss they inflicted in 2019.

As holiday shopping intensifies, so does phishing and fraud. As we’re getting closer to Christmas, financial service and digital app payment users become increasingly targeted by cyber-crooks.

Fortunately, this is easy to fix. Simply install a security solution to filter your junk messages and enable two-factor authentication for all accounts that support it. Last, but not least, regularly go through your past transactions to spot irregularities, chargeback fraud or purchases you have not actually made.

Malware never gets out of fashion

While phishing compromises individual accounts, malware helps the bad guys take complete control of devices. Every hour, hackers create more than 20,000 new pieces of malware. By the time you’ve read this, almost 800 new threats have been launched at millions of potential victims around the world. These criminal tools can carry out numerous actions, from the infamous encryption of your precious data to attacking a bank or hospital and anything in between. Pay extra attention to spammy e-mails, as four out in 10 messages include a form of malware.

Romance for Christmas? Yes, but caution required.

Cyber-criminals have been diligently leveraging the social distancing measures and loneliness of citizens in isolation, with noticeable spikes during the winter holidays. In 2019, people reported losing $201 million to romance scams in the United States alone, a steep 40% increase from 2018.

On average, dating scams account for between 30 and 40 percent of global incoming spam and can inflict severe financial and emotional distress on victims.

Most of the times, victims are approached via dating sites, unsolicited e-mail, social networks or instant messaging platforms by people who purportedly are military, or businesspeople stationed overseas. They build a complicated story that always ends up with asking for money to cover an emergency, costs of an accident or travel arrangements so they can spend the holidays with you.

Travel plans? Take a second look.

As the holiday season approaches and pandemic restrictions get lifted, attackers may attempt to capitalize on everyone’s interest in taking a break and planning vacations. Consequently, spikes in travel-themed spam once again prove that threat actors are tuned in to their victims’ needs and interests, planning their messages and campaigns to maximize their effectiveness. In November, around three out of 10 of all the scanned spam emails were travel themed. Pay extra attention to offers too good to be true and always book your travel with an agency or operator you trust or that has a well-established reputation.

Holidays are the best time for sharing pleasant moments with family and friends, no matter where they are. Don’t let your first digital Christmas get stolen! See how we can help you stay safe during the holiday season and beyond.

PlayStation Now Fixes Vulnerability That Allowed Attackers to Run RCE on Windows PCs

A critical flaw in the PlayStation Now cloud application could have let attackers inject malicious code on Windows-operating devices.

The vulnerability was reported on May 13 by bug hunter Parsia Hakimian, and fixed on June 25 by the online gaming giant.

The bug, residing in an insecure AGL application, affected PlayStation Now versions 11.0.2 and earlier on machines running Windows 7 SP1 and later.

“The PlayStation Now application version 11.0.2 is vulnerable to remote code execution (RCE),” Hakimian said. “Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.”

In his description of an attack, Hakimian said a threat actor could send a malicious script to users through online forums or Discord. By accessing the link on their computer, malicious scripts on the website connect to the local WebSocket server [ws://localhost:1235] and ask AGL (Electron application) to load and run malicious Node code on the target’s device.

“Any JavaScript loaded by AGL will be able to spawn processes on the machine. This can lead to arbitrary code execution,” the bug hunter added. “The AGL application performs no checks on what URLs it loads.”

The findings landed the researcher a whopping $15,000 bounty awarded by PlayStation’s HackerOne bug bounty program.

The fix couldn’t have come at a better time for the gaming community since the cloud-gaming service has gained more than 2.2 million subscribers by April 2020.

Foxconn hit with record-breaking $34 million ransom demand after cyber attack

Foxconn hit with record-breaking $34 million ransom demand after cyber attack

  • Electronics manufacturer Foxconn was infected with the DoppelPaymer ransomware last month
  • Hacking group has begun to publish files stolen from company’s servers during the attack

The world’s largest electronics manufacturer, Foxconn, has suffered a cyber attack and extortionists are reportedly demanding a $34 million ransom be paid for the recovery of its data.

As Bleeping Computer reports, a Foxconn’s facility located in Ciudad Juárez, Mexico, was hit over the US Thanksgiving holiday period by hackers who stole data from the company’s servers before encrypting systems.

The DoppelPaymer gang has claimed responsibility for the ransomware attack, and begun to publish stolen data on a website it created earlier this year to coerce companies into paying huge ransom demands. Foxconn, like other victims before it, will have been told by the criminals that it risks facing difficult questions by partners, customers, and the press if sensitive data is shared online.

According to Bleeping Computer the hackers claim to have encrypted over 1000 servers at Foxconn North America, and stolen 100 GB worth of data. To rub salt into the wound, the criminals are also said to have deleted 76 terabytes of backups.

The rest of the Foxconn company, which employs over 800,000 people and counts the likes of Apple, Dell, Amazon, Nintendo, Microsoft, and Sony amongst its many high-profile past and present customers, is not believed to be affected by the ransomware.

The criminals clearly feel that they’ve hit the jackpot though, demanding a cryptocurrency ransom of over 1800 Bitcoins (approximately US $34 million at current exchange rates).

Foxconn has made no public statement about the attack, and it is unclear whether they are prepared to negotiate with the cybercriminals or not. For now it would seem they would rather the incident remain private.

What is very public, however, is that the official website of Foxconn’s facility in Ciudad Juárez is currently displaying an error message:

Whether the website downtime is a direct result of the ransomware infection, or has been intentionally taken offline alongside other systems by Foxconn’s IT team is unclear.

Past victims of the DoppelPaymer ransomware include the city of Florence in Northern Alabama, the city of Torrance in the Los Angeles metropolitan area, Newcastle University, and the horrific ransomware arrack that resulted in a hospital patient dying in Germany.

Israel shaken by data leak after ransomware attack at Shirbit insurance company

Israel shaken by data leak after ransomware attack at Shirbit insurance company

  • Hackers leak screenshot of negotiation with breached insurance giant
  • Israeli government reportedly reconsidering relationship with insurance firm following security breach

A hacking gang calling itself Black Shadow has demanded a giant insurance firm pay a US $3.8 million ransom after encrypting and stealing sensitive data and documents about its clients.

Customers of the victim, Israel’s Shirbit insurance company, have been advised to consider obtaining new identity cards and driving licenses due to the risk of identity theft after the hackers released a third wave of stolen data this past weekend.

Leaked data has included scans of identity cards, marriage certificates, and financial and medical documents.

The latest leak by Black Shadow of data from Shirbit followed the insurance company’s refusal to meet a Saturday 9am deadline set by the extortionists to pay the 200 bitcoin ransom.

Initially, the attackers requested a 50 bitcoin (approximately $950,000) ransom be paid, but this increased to 100 bitcoin after Friday 9am, and then to 200 bitcoin by Saturday morning.

For its part Shirbit has said that it will “not give in to this kind of terrorism.”

Late last week, the hackers shared a screenshot of what they claimed was a negotiation via WhatsApp between themselves and someone called “Ilia” representing Shirbit.

Part of the conversation read as follows:

Ilia: Good morning, I’m Ilia, and ill be communicating with you on behalf of Shirbit CEO.

Black Shadow: Hello

Ilia: Good to communicate. Finally. Is it good time now or its middle of night there?

Black Shadow: Good

Ilia: Good. How we move forward?

Black Shadow: If you pay us 50 BTC, we will not leak anything anymore

Ilia: Yes. This I understand from text. but you know that its not work like that. Like dating, we need to now a little one the other.. To know. sorry

Black Shadow: So, if you dont pay we will leak part of data at 9:00 am tomorrow

Following the data leak, Black Shadow released a statement threating to publish more stolen data:

“We did what we promised. The company did not want to pay us. Shirbit proved to everyone that clients’ documents are not important to them,” adding that “we still have ten terabytes of information left.”

No doubt there are many clients of Shirbit concerned about the security breach, and worried that their data may fall into the hands of criminals as a result of the attack.

Amongst those clients are the Israeli government, which according to some media reports will reconsider using Shirtbit as an insurance provider for government workers in the wake of the security breach.

Data Breach at Alaskan Online Voter Registration System Exposes Personal Info of Over 100,000 Voters

A cyberattack on the Online Voter Registration System of the state of Alaska exposed the personal information of 113,000 potential voters, the Governor’s Office announced last Thursday.

According to a press release, the attack took place in early September, and was discovered on October 27, 2020.

“Since the discovery, Division staff, working with the State Security Office, our vendors, and law enforcement, and a computer forensics firm have worked to determine the scope of the problem, secure databases and web applications, comply with state law regarding exposure of personal information records, and assist law enforcement with any investigation as needed,” the official statement reads.

A summary of the state’s preliminary investigation determined that the attackers exploited a vulnerability, allowing them to exfiltrate voter information such as names, date of birth, driver’s license, or state identification number, last four digits of Social Security numbers, residence, mailing addresses and party affiliation.

You can also check if your private data has been exposed online! Use Bitdefender’s Digital Identity Protection tool to see where you stand at the moment and what the internet knows about you.

“At this time, the Online Voter Registration System website is secure, fully functional, and the flaw has been remedied,” the Office of Lieutenant Governor Meyer added. “The preliminary investigation indicates that although outside actors accessed voter registration information, the purpose of the unlawful access was to spread propaganda and shake voter confidence—not to impact the election results. The Division of Elections firmly believes the integrity of the 2020 voting process was not compromised.”

Although there is currently no evidence that the stolen data has been used “for anything other than propaganda,” voters with exposed personal information have been notified and provided a year of credit and ID monitoring free of charge.

Italian Police Arrest Criminals Accused of Robbing ATMs with Purpose-Built Black Boxes

Italian Police identified 12 people allegedly responsible for numerous ATM jackpotting attacks in multiple provinces, putting an end to a criminal operation that lasted seven months.

Jackpotting usually requires several attackers. It’s one of the more complex methods used to directly steal money from ATMs, but it also relies on vulnerable or poorly secured devices.

Usually, attackers open up the ATM and use a so-called black box containing dedicated hardware and software. It’s worth noting that attackers weren’t the developers of the black box. Criminals usually buy such devices off the black market and have no idea how they actually work — only where to plug them in.

Once the black box is connected to both the money dispenser and the PC running in the ATM, it can send commands asking the machine to release money. The police started to investigate the thefts in September, but the group was already hitting ATMs a few months prior.

Monza and Brianza, Milan, Bologna, Modena, Vicenza, Mantua and Parma are the provinces hit by the group. In total, 12 people are being investigated, and six have been apprehended already. Another three are detained in Poland, and the whereabouts of the others are unknown. The groups allegedly managed to steal more than €800,000.

A few months ago, Diebold Nixdorf issued a warning of a wave of jackpotting attacks against ATMs in many European countries, with the vast majority directed at ProCash 2050xe USB terminals.

“Attackers are focusing on outdoor systems and are destroying parts of the fascia to gain physical access to the head compartment,” said the old Diebold Nixdorf advisory. “Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged.”

Nintendo Hacker Sentenced to Three Years in Prison

A California resident who hacked Nintendo when he was a minor has been sentenced to serve three years in prison, followed by seven years of supervised release.

Ryan S. Hernandez, 21, of Palmdale, California, hacked the gaming giant in 2016 and pleaded guilty in January to one count of computer fraud and abuse and one count of possession of child pornography, the AP reports.

According to prosecutors, Hernandez stole confidential information about popular video games, gaming consoles and developer tools.

The FBI investigated the hack and contacted his parents. Hernandez reportedly agreed to stop hacking Nintendo, but two years later he was at it again. This time the feds not only found “thousands of confidential Nintendo files” on his computer, but also “videos and images of minors engaged in sex.”

The judge presiding over the case also ordered Hernandez to register as a sex offender and recommended he be incarcerated at a federal prison for inmates with cognitive challenges, the AP reports. Hernandez must also pay around $260,000 in restitution to Nintendo for his actions.

Posts navigation

1 2 3 4 5
Scroll to top