April 8, 2019

Doctor Web warns: hackers use newsletter subscription forms to spread links to a phishing website on behalf of famous international companies. Emails sent from official addresses seem trustworthy both to the receiver and spam-filters, increasing the number of potential victims.

Recently several Russian users received phishing emails from well-known international companies such as Audi, Austrian Airlines and S-Bahn Berlin. Those emails were sent from official company addresses and didn’t raise any suspicions. The header and the email itself are written in English or German; but the letter begins with words in Russian saying “money for you”.

At the beginning of the email, a link leads users to the hacked page of a dating website. Then due to malicious code embedded into the website’s stub page users are redirected through several other websites to a phishing one.

Once there, victims see a message saying that their email address won a chance to participate in the international promo called “The lucky e-mail”. If victims agree to participate, they must complete a survey in order to receive the prize money ranging from 10 to 3000 EUR. To increase creditability, the website’s developers added comments from people who allegedly received the prize, including comments from people not satisfied with the size of the reward.

After a few survey questions, the website displays information about the promo, reward size, and withdrawal conditions. One condition is that the winner must pay a commission for exchanging EUR to RUB.

To pay the commission, victims are redirected to a fake payment page where they are supposed to enter their credit card information. Once complete, victims are asked to provide the verification code sent by SMS. When all the steps are completed, the victim’s bank account is debited and their credit card data is left to the hackers. Additionally, no funds are credited to the victim’s bank account.

What’s interesting is how the hackers send the phishing emails. They use official email newsletter signup forms on company websites. Special symbols are allowed in the forms, so it’s possible to send malicious links via official company newsletters. To do this, hackers fill in the “Name” field with words like “Money for you” and the “Last name” with a link to the phishing website. As a result, victims receive an email from the official company address, asking them to confirm the subscription.

Doctor Web researchers recommend using caution when opening links in any emails and not to leave any personal information on suspicious websites.