Over the last couple of years we have seen a decline in traditional phishing schemes as cyber criminals have begun to use banking malware such as Zeus and SpyEye. These tools can steal credentials from a wide range of web sites and by using browser-in-the-middle techniques can beat two factor authentication used by many banking websites.

Lately we have seen a number of phishing emails where the phishers impersonate a third party that may have a plausible reason for interacting with your bank, such as a tax department. The Phishers then attract victims to a landing page via spam where they are asked to choose their bank from a selection. They are then shown a fake login page for that bank. This increases the chance of a Phisher matching a bank to a potential victim.

This email, targeted at British recipients, promises the recipient that they are eligible for a tax refund from HM Revenue and Customs. By clicking the Refund Me Now link they can be on their way to receiving their tax refund.

Following the link takes the recipient to the phishing landing page below with the logos of 15 banks; and asks the user to click on the logo of their bank to continue. Each logo is a link to a fake banking website that is similar to that bank’s real website.

The landing page where users are asked to select their bank

When we click on the HSBC bank logo we are taken to a page designed to phish credentials from HSBC members:

The phishing page the victim is sent to if they click the HSBC bank logo

We saw a nearly identical campaign two months ago that was phishing for bank accounts in New Zealand. This is just another technique cyber criminals are using to increase their returns as people become more aware of how phishing attacks work.