Cyber criminals are swiping bank details from unlucky Three customers by cloning the mobile network’s real web pages. The phishing attack was reported by the Cofense Phishing Defence Center (PDC) this morning.
According to the PDC, a number of Three users have received a deceptive email claiming to come from the mobile operator itself. The email – titled “3G Your mobile services Your Account” – appears to have originated from online@three[.]co[.]uk. It reads:
“Your Latest bill payment could not be processed by your bank. Access to your mobile services will be suspended. Download the attachment form to amend your billing information.
3G Customer Services”
In the email message, customers are told that a bill payment could not be processed by their bank. They are then asked to download an attached HTML file to edit their billing info and avoid seeing their service be suspended.
Related: Best smartphone
The file – “3GUK[.]html” – then asks the user to input their login credentials, personal information and credit card details to continue with the phone bill payments.
Unfortunately, the form is pretty convincing and could easily be mistaken for Three’s actual account confirmation page – and there’s a reason for that. The source code behind the HTML page suggests that the form attached to the email is actually a clone of Three’s real website.
The fake form features styling elements pulled directly from Three’s website and even the buttons on the form direct to legitimate Three webpages, such as the phrase “iPhone 11” below the Popular Phones category at the bottom of the page.
Related: Best VPNs for security and privacy
According to the PDC, the IP address appears to originate from the URL “mail[.]moultondesign[.]com, while any customer information provided via the form seems to be processed by the processing[.]php script at hxxp:/joaquinmeyer[.]com/wb/processing[.]php.
If you receive an email from Three asking you to re-enter your payment details, take a closer look to make sure the notice really is a legitimate one.