We came across a phishing email that, while basically resembling one of the many marketing emails that flood your inbox, is still cleverly enough disguised as a feedback survey from a trusted source that it's hooking victims. The attack leads to a credential harvesting site, and the phishing email was made to look like it was coming from a well known online food delivery company, Deliveroo.
You may be one of those people whose email box is always flooded with marketing messages, discount coupons, feedback surveys, and other spammy content. It becomes a blur of stuff, and often goes unread. That’s the reason phishing emails are rarely sent in the form of marketing messages. They are not as effective as other techniques.
However, this week we came across a phishing email that was more cleverly disguised as feedback survey. The phishing email was made to look like it was coming from a well known online food delivery company, Deliveroo.
Let’s have a look:
This email looks like a typical marketing email from Deliveroo that requests user feedback on the service for improvements. In return for the feedback, the customer will receive a gift card. All the user has to do is rate how likely they are to recommend the service to a friend or family member by clicking a number from 0-10 provided in the below scale.
But this isn’t a legitimate Deliveroo email. It’s a phishing email in which clicking the number scale leads to an ominous path. Here is what happens after clicking:
This page contains a simple survey with four questions. After the user has answered all the questions and pressed “Finish” they will be sent to a malicious website.
After submitting the fake survey, the user is redirected to a different page that is actually a credential harvesting page. In this page, the user is asked to submit their billing details to claim the promised gift card. The billing details include credit card number, card expiration date, and CVV number. The site claims that the information is needed for authentication purposes.
Once the user submits these details, they are sent directly to the malicious actor.
There are quite a few steps before the credit card details are actually harvested, which makes this technique not extremely effective. To begin, many users won’t even bother with the phishing email itself in the first place as they'll likely see it as just another annoying marketing email. Some users might click the rating scale but, once they see that they still have to answer a bunch of questions, they might leave the survey.
But it's a clever enough phish to hook a few victims.
Marketing emails may seem harmless, but when navigating the wild frontiers of Internet you can never be too careful. This is a good example of an attack email that seems completely innocent but ends up stealing your credit card information.
Gift card rewards aren’t that rare in marketing emails but the way they are handed over to you is something you need to pay attention to. Never give out your credit card details in exchange for a gift card!
To spot a phishing email, pay attention to these red flags:
If you do come across some internet survey with a tempting reward that tickles your fancy but something seems off, contact the company first to make sure it’s legitimate.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.