Multiple times, a specific gang of criminals has targeted Denmark with a phishing campaign aimed at NemID users. NemID is the official log-in solution for Danish Internet banks, government websites and some other private companies (http://en.wikipedia.org/wiki/NemID).
The campaigns have tried to lure people into giving away their usernames and passwords and also their NemID one-time-password cards working as a form of two factor authentication. We have warned about this several times:
• https://www.csis.dk/da/csis/blog/4245/
• https://www.csis.dk/da/csis/blog/4237/
In the second article we even used pictures to document that people actually upload their OTP to the criminals.
We have been monitoring these campaigns and as a result we have obtained a lot of information including data which can be used to identify the victims.
Below, there is a picture that illustrates who jumps at the bait based on age and gender.
We are working closely with law enforcement to arrest the criminals behind these attacks. Apart from that, we are shooting down the compromised webservers abused in these phishing campaigns.
So far we have observed five campaigns. The estimated number of spam mails coming out of the “botnet” (likely rented) is approximately 250.000 per campaign. Despite the fact that only 117 people have fallen victims to the scam so far, it still seems to be a very profitable business for the criminals behind the campaigns.
Interestingly, primarily males between the age of 65 and 74 have provided the criminals with both their usernames and passwords and a photo of their NemID OTP’s. In fact, mostly males fall victim to these campaigns and, as the statistics have taught us, it’s primarily older people passing on sensitive data to the bad guys.
We are trying to prevent further losses by blocking access to the phishing websites with the Heimdal Security Agent. Check out the website of Heimdal Security here:
https://heimdalsecurity.com/