I'll be taking a closer, somewhat jaundiced look at 2013 in terms of email scams in an ESET blog scheduled to appear on January 6, 2014, but here's a phishing scam that crossed my radar in the last few days. (Actually, I have two samples, identical except for the sender address and the malicious links.)

Unfortunately, I was away from home and not monitoring that email account for a few days, so by the time you read this, the December 31 deadline used to pressure the victim into clicking on the link immediately will be all but gone, so this article isn't going to save many people from this particular scam. Nonetheless, it has an interesting but disturbing twist.

I've written before about a variation on this theme, where the scammer uses a 'something-for-nothing' type of bait by offering shopping vouchers. Here's that particular scam message again, just for comparison.

Dear Valued Customer,

NatWest is giving out free shopping vouchers for your favorites stores for Christmas.

This offer is only for NatWest Credit Card Online Services users and it will be valid to use until the 31st of December, 2013

To Qualify for this opportunity, Kindly Click here now.

After validation your voucher will be sent via text message or posted to your Mailbox.

Yours Sincerely,
NatWest Credit Card Services.

The example below - with the subject header "Free Tesco Vouchers for Christmas." - is a little more sophisticated. For a start, it has the festive Tesco Bank logo currently in use, complete with Google-ish party hat on the 'O'. And since TESCO is probably better known for its supermarkets than for its banking and insurance services, even to people who never use it, it's rather more credible that the bank might be offering vouchers for Tesco stores, rather than the vague and ungrammatical 'your favorites stores'.

We should bear in mind, though, that it would have been just as easy for the 'NatWest' scammers to name well-known stores. How many potential victims would have taken time out to check from an independent source on whether Walmart or Sainsbury had an agreement with NatWest to supply customers with vouchers, before diving in and clicking on the phishing links?

tesco logo

Dear Valued Customer,

Tesco Bank is giving you a chance to shop for free at any of our tesco outlets or online by giving out free tesco vouchers for Christmas.

This offer is only for Tesco Credit Card and Tesco Savings/Loan owners and it will be valid to use until the 31st of December,2013.

SAVINGS OR LOAN CUSTOMER CLICK THE LINK BELOW

Savings/Loan Click here to Claim

CREDIT CARD CUSTOMER CLICK THE LINK BELOW

Credit Card Click here to Claim

After validation your voucher will be sent via text message or posted to your Mailbox.

Tesco Personal Finance Online Service

There are, of course, still clear scam indicators here. As is common with phishing messages, the scammer didn't bother to set up different links for the two classes of TESCO customer being targeted. (That doesn't mean that if the links are different the message is genuine, though.) The sender address isn't exactly convincing: Tesco.com [info@tes.mobi]. And, of course, there's no personalization: no bank or service provider should ever expect you to link to anything in their message if they don't even give you your name and a customer ID of some sort.

But here's what worries me particularly about this approach. Most bank phishing messages come in waves/campaigns, and they're not particularly topical. The scammers keep sending out material that falls into one of the same set of social engineering categories that I've discussed before. While they want you to respond immediately (before you have time to think about it, and before the link disappears because security researchers have found it and taken action), the content isn't particularly topical. This one, however, resembles the sort of topical approach we associate with other kinds of malicious activity (botnets, fake AV, charity/disaster relief scams and so on) where social engineering is based on a current seasonal event (Xmas, Valentine's Day, Cyber Monday) or news item (real or fake).

There may not be much scope for a banking tie-in with the latest celebrity idiocy, but there is certainly scope for a pseudo-marketing tie-in with other kinds of happening. I have to wonder whether this is an indication that some bank phishers are starting to look at raising their game as potential victims become more security-aware.

David Harley
ESET Senior Research Fellow