And I just wanted to give a quick shoutout to our engineering team for noticing this bizarre trick that all of the #phishing pages do that we connect to this #LoggerEIO group.

The phishing kit in use has several pages that the victims are expected to click through. As one enters information onto the first page, then clicks a Continue button, the browser initiates a WebSocket connection with the server, and transmits the data inside of that WebSocket connection.

It isn't exactly encryption, but more obfuscation: The compression, while reversible, does have the effect of obfuscating the content of the exfiltrated data. That little bit of effort might prevent a Data Loss Prevention (DLP) tool from recognizing outbound sensitive data before it's too late.

And the reason we call them #LoggerEIO is because all of the sites that Netcraft connects to this campaign do this on the same URI string: The page makes a connection to the path /logger/?EIO=4&transport=websocket in its GET request - only when the victim sends the data.

/6

#smishing #phishing #NetcraftConfirmsIt #Netcraft #threatresearch #WebSocket

Germany was not the only non-US country represented in the #LoggerEIO #smishing attack (so far).

There was one version of a page claiming to be the Spanish highway authority, Dirección General del Tráfico (DGT), that warns you owe a 100 Euro fine (multa) for some kind of driving infraction you committed, that must be paid within 24 hours.

More recently, I spotted a flood of pages that claim to be from the UK government's Winter Fuel Payment program. The real program helps impoverished people not freeze to death in winter by subsidizing the high cost of heating. But this page simply wants your credit card to "test" charge your card for £1 on the promise that you'll get up to £300.

/5

#smishing #phishing #roadtoll #HighwayRobbery #WinterFuelPayment #UK #spain #espana #Netcraft #NetcraftConfirmsIt #NetcraftResearch #Germany

Having recently returned from a trip to #Germany, where I spoke at #VirusBulletin, I have become more familiar with the appearance of some German government operated websites.

The Bundeszentralamt für Steuern (or BZSt), Germany's federal tax authority, is also represented in these #TaxScam #phishing pages.

Bizarrely, #LoggerEIO have decided to clone the template of one of the US-themed versions of the #smishing page which prominently features a banner image of a US form #1040 #tax return, and the corner of a $20 bill, neither of which (I suspect) the #BZSt use for tax filing in that country.

Whoopsie! Or, as my German friends might say, Hoppla!

/4

#smishing #phishing #netcraft #NetcraftConfirmsIt #Oops

In this #scam, the #smishing message informs you that you are owed a reimbursement or refund on overpaid state taxes. The #LoggerEIO group seems to have latched on to the idea of using individual states as the lure, rather than the federal #IRS, which is an interesting choice.

In the pages I looked at, the following states were represented with custom #phishing pages that use the same stylesheet, color scheme, and logos of the state tax agency they're impersonating.

Targeted states include Alabama, California, Connecticut, Delaware, Florida, Maryland, Massachusetts, Michigan, Minnesota, Montana, New Jersey, New York, Ohio, Texas, Tennessee, Washington, and Wisconsin.

/3

#smishing #netcraft #NetcraftConfirmsIt #taxrefund #taxrefundscam