We see lots of phishing attempts for banking credentials. This is new entry to the lists. We normally see the traditional banks being used in this sort of phishing scam / identity theft in the UK on an almost hourly basis. I probably see 20 or 30 every day. However there are starting to be lots of people now using the new Fintech services, which are online only. There are hundreds of these new services and no one can keep up with them. Some of the names of these new services are completely weird and don’t sound like a bank at all. This one at least sounds like it has a financial element to it.
Personally I prefer an established bank that is less likely to have any problems, where your money is more secure, but many people are fed up with the bureaucracy and hassles of a traditional bank and are happy to use an online only service.
I had not heard of CashPlus before a user on my mail server received this during the night.
The same warning that applies to all emails alleging to be from a financial body applies here. All emails should be personally addressed by name, not Dear Member or similar. If it doesn’t have your name & correct email address in the to: line then immediately treat as suspicious.
They use email addresses and subjects that will entice a user to read the email and open the attachment.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
These are not sent from docs.net ( which is a Microsoft service, that doesn’t appear to have any SPF, DKIM Dmarc or any other email authentication set up to know whether it genuinely is from that service. ) Docs.net redirects to a Spanish language Microsoft Office 365 page. Even though docs.net does not normally send emails, it is “best practice” for all domains that might be spoofed to have a SPF, Dmarc & Dkim entry in DNS records to avoid the emails being seen as potentially innocent. Many Email Servers do block & reject SPF / DKIM / DMARC failures. But Most email servers are set to deliver email that comes from a domain with no apparent SPF or other authentication, because of network errors that have temporarily prevented SPF lookups. It is a very brave Mail Server Admin who takes the risk of essential email not being delivered from Microsoft, Gmail etc.
The email looks like:
From: Cashplus <email@example.com>
Date: Fri 11/01/2019 01:06
Subject: Essentials informations required
For your protection, Cashplus automatically alerts customers when there are changes on our systems. Therefore we are always committed to work hard 24/7 and provide you with our best, We upgrade our systems regularly to ensure constant access to our Online banking.
Due to recent system updates and security measures, We require all current cashplus holder’s to authenticate their online information. It is an essential step towards making our account holders safe and secure always,
Authenticate your information immediately.
Please Note: Failure to validate your account may lead to permanent loss of service to our online banking system.
If you follow the link you see a webpage looking like this: http://yadavelectricals.com/js/onlineservicing-cashplus/ ( which is a compromised Indian site )
After you input your email address and password, you are forwarded to an almost identical looking page asking for email, password & date of birth
Then you get a success page and are forwarded to the genuine cashplus site
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
|126.96.36.199||ns.infos.cz||Prostějov||Olomoucky kraj||CZ||AS29208 Dial Telecom, a.s.|
|188.8.131.52||46-33-113-216.infos.cz||Brodek||Olomoucky kraj||CZ||AS29208 Dial Telecom, a.s.|
eceived: from ns.infos.cz ([184.108.40.206]:38844) by my email server with esmtp (Exim 4.91) (envelope-from <firstname.lastname@example.org>) id 1ghlnm-0001Pf-2i for email@example.com; Fri, 11 Jan 2019 01:40:02 +0000 Received: from instance-3.us-east1-b.c.warm-calculus-225521.internal (46-33-113-216.infos.cz [220.127.116.11]) by ns.infos.cz (Postfix) with ESMTP id 3863E144261A; Fri, 11 Jan 2019 02:06:33 +0100 (CET) Content-Type: multipart/alternative; boundary="===============0203780239==" MIME-Version: 1.0 Subject: Essentials informations required To: Recipients <firstname.lastname@example.org> From: "Cashplus" <email@example.com> Date: Fri, 11 Jan 2019 01:06:29 +0000 X-Infos-MailScanner-ID: 3863E144261A.A898C X-Infos-MailScanner: Found to be clean X-Infos-MailScanner-SpamScore: ss X-Infos-MailScanner-From: firstname.lastname@example.org