Customer Satisfaction Survey Leads to Credential Phishing

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for.

At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of place. This could be an indicator that something is suspicious and should be investigated further.

Figure 1 – Received “Customer Satisfaction Survey” Report

As shown in Figure 2, the From field shows that the email appears to be from Cathay Pacific, using the email address cathay[.]pacific[@]email[.]cathaypacific[.]com. The SMTP relay also appears to be from cathaypacific.com, but the IP address of the relay resolves to hostserv.eu, a European hosting provider. This is another indicator that the email could be suspicious as it seems highly unlikely that a Cathay Pacific would use a low-cost European hosting provider as their mail server.

Figure 2 – Email Details

Figure 3 – Email Header

Opening the “Click here – Participate and Win” link directs the user to hxxp://syconst[.]com/ebv/[.]uk/CathayP/. The threat actors have done a good job in making the survey look like the legitimate website of Cathay Pacific. Figure 4 shows a comparison of the fake and genuine website.

Figure 4 – Website comparison

On closer inspection of the fake website, you notice that its header is actually a picture and therefore users are unable to click on any of the links (Figure 5).

Figure 5 – HTML View of Fake Survey Page

Figure 6 – Credit/Debit Card Details Page

The victim is also required to select the credit card issuer. With this specific phishing campaign, the threat actors target the following banks:

  • Hang Seng Bank
  • Citibank
  • Hongkong and Shanghai Banking
  • HSBC UK
  • Standard Chartered Bank
  • DBS Bank
  • Dah Sing Bank
  • UnionPay Card

After submitting the credit/debit card details, the victim is redirected to a fake “Verified by Visa – MasterCard SecureCode” page that tricks the user into thinking the details submitted are processed by Visa and MasterCard (Figure 7).

Figure 7 – Fake Visa/MasterCard Verfication Page

Based on the selected credit card issuer, the victim is automatically redirected to another fake site that appears to be from the bank they chose. If the card issuer is not listed and the field is left blank, an error message appears, and the victim is redirected to the start of the survey.

Figure 8 shows the landing page for UnionPay which asks the victim to provide additional details such as email address and mobile number.

Figure 8 – UnionPay Landing Page

In Summary: Nothing New, But Still Effective

While Customer Survey Phishes are nothing new and have been around for years, we have recently observed an increase in such reports. Nowadays, threat actors deliver phishing campaigns that at first seem to be non-malicious as they include formatting and logos that make them look like valid emails from the company. The email and the surveys may also be customized to resemble the organisation’s genuine website. No matter how sophisticated the phishing campaigns are, they all follow the same old tactic:

The victim is first presented a form containing “bogus” questions, where often a response is not required. The victim is then prompted to supply credit/debit card details to supposedly receive the reward for completing the survey. However, this is entirely imaginary, and all information provided is collected and used by the threat actors.

Users should be very cautious of any messages that promise to pay a fee for completing a survey. While companies certainly conduct surveys and even offer a reward for participants in some cases, it is extremely unlikely to receive a substantial amount for completing a small and rather insignificant survey.

Tips to spot suspicious emails:

  • Check the email for grammatical errors—if there are any, there is a high probability that the survey is not genuine
  • Don’t open attachments! Even a genuine looking PDF can contain malware
  • Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL
  • Organisations won’t ask for your bank details, credit card information, or other personal information in exchange for money or free gifts

To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

Indicators of Compromise (IOCs): 
Malicious URL:
hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv1[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv2[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv3[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv4[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/Table[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/SENG[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/CITIBANK[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/DNA[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/dna[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/SC[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/OCB[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/DBS[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/DAH[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/UnionPaym[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/uws[.]php

Associated IP:
211[.]43[.]203[.]23

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

The Headlines Make the Case for More Efficient Phishing Response
Cofense SOARs Above Existing Security Orchestration and Automation Offerings Leveraging Human-Intelligence to Stop Active Cyber Attacks

Leave a Reply