Researchers discovered a sophisticated phishing attack that costs millions of people across the world over $80 million per month.
The campaign, according to security firm Group-IB, targets consumers in over 90 countries, including the United States, Canada, South Korea, and Italy. It sends out bogus surveys and incentives from well-known companies in order to acquire their personal and financial information.
According to the business, a single network targets over 10 million victims and 120 companies.
Fraudsters lure their victims in by sending out invitations to participate in a survey in exchange for a prize. Each of these offers includes a link to the survey's website. Threat actors exploit all acceptable digital marketing methods for 'lead generation,' including contextual advertising, advertising on legal and fully illegal sites, SMS, and mail-outs.
In order to gain trust from their victims, scammers register domain names that are similar to the legitimate ones. They were also seen updating links to the calendar and making social media postings on a less frequent basis. After visiting the targeted link, the user enters a process known as traffic cloaking, which allows cybercriminals to show different material to various users based on user attributes.
While the victim is being sent to this 'branded survey,' information about their experience is being gathered and used to personalize a final harmful link that can only be opened once, making it more difficult to detect and shut down the scam.
At the end of the process, the user is asked to answer questions in order to get a reward from a well-known brand and to fill out a form that requests their personal information, which is reportedly required to receive the prize.
Full name, email, postal address, phone number, and bank card details, including expiration date and CVV, are normally required.
Dmitriy Tiunkin, the vendor's head of digital risk protection in Europe, called the current situation a "scamdemic."
The business discovered 60 separate networks, each with over 70 domain names, executing similar targeted linkages.
Four Steps To Protect Yourself From Phishing
1. Use security software to keep your computer safe. Set the software to automatically update so that it can handle any new security threats.
2. Set your phone's software to update automatically to keep it safe. These upgrades may provide you with vital security protection.
3. Multi-factor authentication is a good way to keep your accounts safe. Some accounts provide additional security by needing two or more credentials to log in. Multi-factor authentication is the term for this. There are two types of additional credentials you'll need to log in to your account:
Something you have — like a passcode you get via an authentication app or a security key.
Something you are — like a scan of your fingerprint, your retina, or your face.
If scammers do gain your login and password, multi-factor authentication makes it more difficult for them to log in to your accounts.
4. Back up your data to keep it safe. Make a backup of your data and make sure it isn't connected to your home network. Your PC files can be copied to an external hard drive or cloud storage. Back up your phone's data as well.
How To Report Phishing
If you got a phishing email or text message, report it. The information you give can help fight the scammers.
Step 1. If you got a phishing email, forward it to the Anti-Phishing Working Group at email@example.com. If you got a phishing text message, forward it to SPAM (7726).
Step 2. Report the phishing attack to the FTC at ReportFraud.ftc.gov.