As part of our ’Off the Hook’ series, we are reporting on emerging threats we come across. Recently, Santander scams have been hitting email inboxes hard. If you are following the threat landscape, you know that Santander has been a popular subject for phishing attacks and campaigns. Even our threat analyst team members have been raising their eyebrows over these extremely well-crafted Santander phishing emails that we are about to show you.Banking phishing attacks are almost always designed to raise fear and make you feel like you need to take an urgent action. Often, these phishing emails relate to an unauthorized use of your bank account. Anyone of us would get a bit stressed and a rising heart rate reading that.Now, let’s take a look at our examples.
”We suspect an unauthorized activity on your online banking account. Click here and verify your account”These emails we show you below are all sent from sendgrid.net. Sendgrid is a popular email platform used mainly for marketing - and phishing. Hackers can easily send emails using Sendgrid in the name of anyone to a massive group of people.
In our example, all of the emails end with @your.santander.co.uk. Using this domain makes the emails look extremely real and many could believe that the message actually came from the bank. Especially because the address is a copy of Santander´s real domain, but the emails were actually sent from sendgrid.net. Spoofing detection (such as SPF, DKMIN, DMARC) fails to authenticate this email.
Usually, spoofing detection solutions are not easily available in typical email clients and discovery may require reading the email source information.
The images are screenshots from real threats. Once the victim clicked the link in the email, they were redirected to a page that looks like a webpage from Santander. All of the above images are from phishing emails that had a similar landing page behind the links.
All the pages were quite precise copies of the real Santander webpage. It looks extremely real: you can log in with personal, business, or corporate ID.
The best way to tell that these pages are not the real Santander site is to look at the URL: ’softkenya.net’ That doesn’t sound like something that belongs to Santander, does it?
Another Santander related phishing attack gently reminds you that you have enough “Santander points” to buy a TV, smartphone, or even a refrigerator. However, the points are expiring soon, so you better hurry!
This attack type is not new though – social engineers often play with people’s emotions. They want people to desire something enough so that they forget about being careful and out of haste they give away their credentials without thinking clearly. Remember to always be suspicious when something sounds too good to be true!
We’ll be back soon with more interesting findings from our Threat Analysts! Stay tuned!