Virgin Media Impersonator Sends Fake Security Update to Steal Login Credentials
In this phishing attack, cybercriminals impersonate Virgin Media and send targets a fake notification regarding email security settings. Using an iCloud address to bypass basic email filters, the attacker claims the recipient’s email security settings are outdated and must be updated immediately to maintain access to their account. Recipients are directed to click a link leading to a page hosted on campsite[.]bio, which is designed to resemble Virgin Media’s official site. The page prominently displays the Virgin Media logo, enhancing its credibility, and includes a button labeled "Click Here to Continue." However, clicking this button redirects the recipient to a malicious login portal, where attackers aim to harvest email credentials. This phishing attack capitalizes on the urgency of security updates, a common tactic in service communications, to manipulate recipients into acting without verifying the email’s legitimacy. The use of professional branding and a well-known platform like campsite[.]bio adds to the illusion of authenticity, increasing the likelihood of success.
Older, legacy email security tools struggle to accurately identify this email as an attack because the message is sent from a reputable email provider, includes legitimate links, and lacks suspicious attachments. Modern AI-powered email security solutions detect suspicious links in the content of the message, identify that the email is being sent to a suspiciously large group of recipients, and recognize that the sender domain and name do not match to appropriately flag this email as an attack.
Phishing attack posing as Virgin Media notification
Attackers impersonate Virgin Media branding to trick users into credential theft
Malicious portal disguised as My Virgin Media login
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses a free hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Large Recipient Group: The "To" field indicates that the email was sent to a large group of people, raising further suspicion during Abnormal’s analysis.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.