Akamai researchers have discovered a new phishing campaign that targets United States consumers with fake holiday offers, TechRadar reports. Fake landing pages created by threat actors attempt to steal victim's credit card information.
Some of the biggest US brands are being impersonated in this campaign, including Dick’s, Tumi, Delta Airlines, Sam’s Club, Costco, and others. The landing paged direct users to a survey that promises some sort of prize upon completion. The surveys take only five minutes, using urgency to draw people’s attention away from potential red flags.
At the end of the survey, the users are told they are winners and only need to pay for shipping to claim their prize. This is how their payment information is being captured to then be used by the attackers in different ways.
What makes this particular campaign unique is it uses a token-based system that allows it to fly under the radar and not get picked up by cybersecurity solutions. The system redirects each individual victim to a unique phishing landing page URL. The URLs change based on the victim's location, further allowing
The researchers at Akamai explain that the links to the phishing landing pages contain an anchor (#). Anchors are typically used to allow site visitors to navigate to specific parts of a landing page. In this instance the anchor tag is a token, used by JavaScript on the landing page which reconstructs the URL.
"The values being after the HTML anchor will not be considered as HTTP parameters and will not be sent to the server, yet this value will be accessible by JavaScript code running on the victim's browser," the researchers said. "In the context of a phishing scam, the value placed after the HTML anchor might be ignored or overlooked when scanned by security products that are verifying whether it is malicious or not. This value will also be missed if viewed by a traffic inspection tool."
Cybersecurity solutions such as antivirus software overlook these tokens, helping the cybercriminals stay under the radar. Security awareness training teaches users to be vigilant against these types of attacks that may not otherwise be caught.