A phishing campaign has been identified attempting to harvest customers’ bank account information and user credentials.
The Cofense Phishing Defense Center (PDC) researchers who discovered the Stripe phishing campaign, found that the attackers are using the “Review your details” button, which redirects customers to their phishing pages, to hide their actual destination.
“The true destination of this hyperlink is obscured by adding simple title to HTML’s tag, which shows the recipient the title “Review your details” when the recipient hovers over the button instead of the URL,” the researchers wrote.
As phishing bait the campaign uses invalid account notification, with a fake Stripe support message stating “This is a confirmation that the details associated to your account is currently invalid” and that “Failure to attempt to this issues your account will be place on hold.”
The phishing page is a replica of the Stripe customer login page, and consists of three pages. The first page focuses on harvesting the admin’s email address and password, whilst the second requests that the customer provides the bank account number and phone number associated with the account.
With the third page, the customer is redirected back to the account login page, where an error message “Wrong Password, Enter Again” is displayed. This message leads the customer to believe that they have entered their password incorrectly and redirects then “back to the legitimate site, so the recipient doesn’t suspect foul play.”
On the company’s support site, Stripe states that it also sends customers email notifications. Tips have been provided to help users avoid being phished, such as checking a web address before clicking on it.
Stripe has also recommended customers use strong unique passwords for their accounts, and implement two-step verification.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/