TV-License Phishing Scam Tricks UK Users Into Giving Personal Information

Cofense Intelligence recently observed a new phishing scam making the rounds in the United Kingdom. It poses as the TV licensing authority better known as the British Broadcasting Corporation. The premise behind the scam is to trick the user into believing that he or she is breaking the law by not owning a valid license to receive TV, a criminal offense in the UK with a maximum penalty of a £1000 fine plus any legal costs incurred during prosecution.  

The email body is comprised of a warning message informing victims that automatic renewal of their TV license failed due to an issue with payment details. The email is made up of a single image and a hyperlink, so wherever you click in the email body you will be delivered to the phishing page.

Figure 1. Email Body  

If we take a closer look at the email headers, we can see that literally no effort was made to spoof the sender address, which is strange as it appears the attackers have gone to quite some effort to duplicate the BBC TV licensing webpage. From the headers we see that the threat source is: orito[@]k-taniguchi[.]co[.]jp, The k-taniguchi[.]co[.]jp domain belongs to a Japanese industrial machinery company, so one can deduce that it is a compromised email account. We have seen a rise in the last couple of months of compromised Japanese email accounts being used to send spam and phishing emails.

Figure 2. Email Headers 

The phishing site contains a series of four pages, the first titled “About the TV Licence Holder.” It instructs users to enter personal information like: full name, DOB, full postal address, phone number, email address, and of course their mother’s maiden name. This type of information is highly valuable to cyber criminals and fraudsters.

Figure 3. Personal Detail harvesting 

The second page is designed to collect protected card information. This “Payment Details” page harvests details such as: full name as appears on the card, full card number, and expiration date. Finally, the victim is directed to a third page allowing the user to double check details before submitting them.

Figure 4. Confirm your phishing details  

Once all details have been double checked and verified, the user will click the Continue button and submit the credentials to the server. Users are then redirected to the official TV Licensing website’s privacy policy page as seen in Figure 5. This legitimate page is strikingly similar to the phishing page, demonstrating that the threat actors have fully developed their phish.

Figure 5. Official TV licence page redirect 

These types of phishing pages are increasingly sophisticated. Threat actors are eager to harvest your financial details and personally identifiable information to use or sell to other criminals. The initial phishing lure is intended to incite angst and stress, making the user more likely to respond quickly and less likely to check the email for signs of illegitimacy.  

It’s critical to educate users about such phishing tactics and train them to report suspicious emails. Cofense PhishMe does just that for users across the globe. Learn how our security awareness training is focused on active threats.   

Indicators of Compromise (IOCs):
Malicious URL: hxxp://www[.]moto-stops[.]com/affiliatesdealersorg/personal-details[.]app[.]php?tokenID=28&ServerID=uCVfrJKFqVjuWAXxODsIoWq
Associated IP: 23[.]229[.]137[.]129 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. 

Domain Fronting, Phishing Attacks, and What CISOs Need to Know
2018: A Reverse-Course for Ransomware

Leave a Reply