SECURITY ALERT: TDC Phishing Campaign Spreads like Wildfire through Legitimate Googl

[harlan4096]

TDC A/S Clients Targeted by Fake Sweepstakes, IP-driven Phishing Campaign

Heimdal™ Security’s Incident Investigation and Response Department have recently unearthed a new type of phishing campaign that randomly targets TDC customers. The forensic analysis performed on malicious samples retrieved from an anonymous client revealed that the perpetrator(s) lured in TDC clients, by offering various, high-value prizes. Coined the TDC Phishing Campaign, it has, so far, been successful at avoiding detection nets, by disguising itself in a seemingly legitimate Google Ad.

Overview

The investigation (on-going) has identified that the perpetrator is using a ‘rogue’ domain to send illegitimate ‘sponsored’ ads to TDC customers. No discernable pattern has been identified so far.

However, based on the available information, we have inferred that the malicious actor(s), could have gained access, through fraudulent means, to a TDC database, and begun sending fake ads to clients that have signed up with the Danish ISP in a one-year timeframe.

In regards to the dissemination vector, Heimdal™ Security has discovered that the fraudulent ads originate from a Hong Kong-registered domain (in accordance with intel retrieved from Whois):

The malignant, Hong Kong-based domain, which is registered under a fictitious company, appears to have been created three days prior to the discovery of the first fraudulent pushed ad. From the intelligence we have gathered, there’s no evidence to suggest financial losses for TDC customers.

In analyzing the TDC Phishing Campaign, we have discovered that the potential victims were lured in with fake prizes consisting of high-end electronics: iPhone XS, Apple Watch or iPhone 11 Pro.

Allegedly, these prizes were offered either on fidelity-basis or as part of a fake TDC anniversary which, according to the ‘official’ version, should last for the next seven days (from March the 8th until the 15th). Only 10 winners are selected from a list of thousands. The winners’ IPs are drawn from what we believed to be a TDC database, extracted through fraudulent means.

TDC Phishing Campaign: An In-depth analysis.

Outlined here are the findings in the case of the emergent phishing campaign.

The ad doesn’t have a pre-established point of origin: it can activate itself while using social media, doing online shopping or surfing the Internet. Upon click or tap action, the user is redirected to a domain that is allegedly owned or associated with TDC. Once the page loads, the user is greeted with the following message:

Dear TDC Customer, congratulations!

TDC celebrates its anniversary over the next 7 days (March 8 -> March 15) as a thank you for your loyalty to us as Internet Providers. We will select 10 lucky users each day as winners of an exclusive gift from us, including a free Apple iPhone Xs, iPhone 11 Pro, or an Apple Watch as a teen thank you for being our customer.

And your IP address xx.xxx.xxx.xxxx has been extracted. All you have to do is answer our anonymous questionnaire below to win your prize. Hurry up! 8 customers have received this invitation and there are only 2 prizes left.

Congratulations! Choose your gift.

Due to the limited stock, your premium is reserved for the next 2:45. You will need to take it now, otherwise, we will offer it to the nearest TDC customer. Fill in the correct information so we can arrange fast and secure shipping of your Free iPhone 11 Pro!

(Translated from Danish)

The message body is crafted as to imitate TDC or a partner: the user’s IP, the overall design, and even a dedicated (and fake) customer reviews section that reinforces the illusion.
...

Continue Reading