Recent Posts

Recent Blog Posts

The PhishLabs Blog

“Please Try Again” – Trending Tactics in Phishing

Posted by Don Jackson, Director of Threat Intelligence on Sep 12, '14
Find me on:

Have you ever received this message when logging into an account? Chances are you have and you likely  blamed the “error” on yourself. What did you do next? You probably carefully typed each letter of your password to ensure accuracy. After reading this post, we hope you will think twice about the next request to “please try again.”

With an increase in phishing activity (APWG recently reported a 10.7 percent increase), also comes evolving tactics of deceit. In the past month, PhishLabs' R.A.I.D. (Research, Intelligence, and Analysis Division) observed the rise of intentional errors into scammers' playbooks.

Password Error Message Baits Victims

A recently observed tactic on phishing sites is to ask the user to try the password again, regardless of how accurate the data originally entered by the victim into the phishing page's form fields.

In one observed case, an error message was displayed telling the user that "the username and/or password was incorrect," as if authentication to the real online service being impersonated had failed, and to please try entering the information again. This does two things. First, it adds to the illusion that the phishing site is legitimate. Second, it improves the quality of the stolen data by increasing the odds of capturing correct credentials. Incorrect_Login_Figure_1Figure 1: Example of an "initial refusal" phishing tactic ("One or more of the codes you entered is incorrect") 

Please Re-Enter Information

In another case, a scammer offered paid online video chat sessions, with a five-minute preview for the low price of €1 (about USD $1.32). For making payment, the scammer sent customers to an initial phishing page that kept producing an error (by design). After encouraging a customer to try several more times, the scammer gave an excuse: “the account may only be usable with an affiliated, co-branded payment service.” Then the frustrated "client" was sent a link to another phishing page in which the victim promptly entered all of the payment information.

After the victim's information was sent off to the scammers to authorize a much higher payment to themselves, a fake "payment authorized" message for the small token amount appeared, but the chat session was soon disconnected due to "technical difficulties." 

The phishing pages used in this case were hosted on an online web form creation service offering a secure connection via SSL/TLS (https). The browser's security indicators -- padlocks or special shading in the URL bar, for example -- and lack of any security warnings may have helped convince the victim that the information was being entered into a legitimate site.Please_Try_Again_Blog_Post_Figure_2Figure 2: The phishing form used for frustrated pay-to-chat clients, hosted on a legitimate SSL/TLS secured service

Welcome Back! Personalized URLs

PhishLabs' R.A.I.D. observed two tactics used to prepopulated form fields with personal information known about the intended recipient of spam phishing email, used in hopes of increasing success rates for phishers by convincing potential victims that they were visiting a legitimate site where they had previously logged in.

The spam emailer script or tool must know the email address, and one tactic puts this in the URL, creating a unique personalized URL for each intended victim's visit to the phisher's site. Example URLs using this tactic look like: 

  • http://example.com/bebe/dontphishmebro@phishlabs.com%0d%0a/axa
  • http://example.com/bebe/dontphishmebro@phishlabs.com/axa
  • http://example.com/bebe/dontphishmebro@phishlabs.com%0A/axa 

The name can be very useful in personalizing the lure -- typically the email message, but could also be an SMS text message or post on a social media service, for example. However, it also makes for a very convincing phishing or landing page. Here's a staged example based on an actual case:  

Welcome_Back_Image2
Figure 3: Staged example of landing page personalization and form field prepopulation based on URL parameters

Prepopulating the password field imitates the behavior of a browser that's been configured to store passwords for some websites. The password is just a fixed string, not the actual password of course, because that's what the phisher's are after. This password tactic isn't always used, but when it is, it's practically always in conjunction with the "initial refusal" tactic described previously.

Phishers continue to hone their craft, adopting practices to increase the odds of stealing credentials that can be used to carry out fraud. The trends mentioned above highlight some of the ways that cybercriminals are meticulously constructing campaigns to incorporate new tactics of deception. Organizations must fight back against malicious cyber activity rather than passively waiting for an attack.

For an in-depth discussion on how to fight back against phishing scams read this whitepaper.

Read the White Paper

Topics: Phishing, Fraud, Hacker Tools, Account Takeover

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all