In this phishing attack, cybercriminals impersonate Virgin Media and send targets a fake notification regarding email security settings. Using an iCloud address to bypass basic email filters, the attacker claims the recipient’s email security settings are outdated and must be updated immediately to maintain access to their account. Recipients are directed to click a link leading to a page hosted on campsite[.]bio, which is designed to resemble Virgin Media’s official site. The page prominently displays the Virgin Media logo, enhancing its credibility, and includes a button labeled "Click Here to Continue." However, clicking this button redirects the recipient to a malicious login portal, where attackers aim to harvest email credentials. This phishing attack capitalizes on the urgency of security updates, a common tactic in service communications, to manipulate recipients into acting without verifying the email’s legitimacy. The use of professional branding and a well-known platform like campsite[.]bio adds to the illusion of authenticity, increasing the likelihood of success.

Older, legacy email security tools struggle to accurately identify this email as an attack because the message is sent from a reputable email provider, includes legitimate links, and lacks suspicious attachments. Modern AI-powered email security solutions detect suspicious links in the content of the message, identify that the email is being sent to a suspiciously large group of recipients, and recognize that the sender domain and name do not match to appropriately flag this email as an attack.

Status Bar Dots
SCR 20241125 mvoe

Phishing attack posing as Virgin Media notification

Status Bar Dots
SCR 20241125 mwwq

Attackers impersonate Virgin Media branding to trick users into credential theft

Status Bar Dots
SCR 20241125 mxic

Malicious portal disguised as My Virgin Media login

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Reputable Email Provider: The attacker uses a free hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
  • Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
  • Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Large Recipient Group: The "To" field indicates that the email was sent to a large group of people, raising further suspicion during Abnormal’s analysis.
  • Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Free Webmail Account
Masked Phishing Link
Branded Phishing Page

Theme

Security Update

Impersonated Party

Brand

Impersonated Brands

Virgin Media

See How Abnormal Stops Emerging Attacks

See a Demo