Security tools fooled
The phishing message itself is relatively easy to recognize as malicious, as the full e-mail address does not include any version of EE’s brand name. This makes it all the more worrying that high-end business security solutions still fail to recognize these schemes. The message itself includes a vague statement about an error that is being fixed, and a few links to ‘login now’ and to ‘view billing’. These links, of course, lead to a phishing page on which users have to fill in their credentials. The criminal(s) hope to gain the trust of their victims by using the HTPPS protocol. In this case, they even used SSL certificates for the phishing page, which enhances the illusion of safety even further.
Financial information
After ‘logging in’, users have to provide financial information off their credit cards. What will happen after that doesn’t need any explanation. What is interesting is that the criminals behind this phishing campaign have some built-in features that lower suspicion. For example, before victims start filling out their financial information, a notification pops up that says “You will not be charged”. After that, the page redirects users to the actual, legitimate EE website. Specifically, the login page will pop up. This is a common tactic in many phishing campaigns. Like that, users get the idea that their session had merely timed out. In that way, the cybercriminals can lull victims into a false sense of security, after which they might think that they can get on with their day.
Indicators
Even though the message slipped past high-end solutions of Symantec and Microsoft, the e-mail contained several indicators that pointed to phishing. Apart from the lack of EE’s brand name the message, the error that was allegedly being fixed was not specified anywhere. EE’s registered office address was not correct either. For the bottom text of the e-mail, the cybercriminals chose a fake office address somewhere in the UK. Users of Symantec or Microsoft 365 EOP should be alert, as their filters might not recognize this as a phishing campaign. Giving their credentials to phishers could lead to financial losses or data leaks.