Ofgem Energy Bill Rebate Phishing Fraud

-

 


On 3 February 2022, the The UK Office of Gas and Electricity Markets (Ofgem) issued a warning that there has been a "record increase in global gas prices" which saw an "energy price cap rise of 54%"; adding that "Ofgem knows this rise will be extremely worrying for many people". That last sentence is precisely why phishing threat actors are beginning to use Ofgem-themed lures as a pretext for phishing attacks to target and defraud UK-based users online. 

On 17 May 2022, Ofgem issued a warning "of a scam email claiming to be from Ofgem asking for bank details so customers can get a rebate" (see Figure 1). This was followed by an alert from UK Action Fraud stating it has received "over 750 reports in just four days about these fake Ofgem emails". The UK NCSC also included the warning in its Weekly Threat Report.

Figure 1: Ofgem-themed phishing email

On 20 May 2022, while researching newly phishing pages a recently created Ofgem-themed page was discovered submitted to URLscan.io (see Figure 2). The phishing page poses as the Ofgem website and pretends users are entitled to a rebate (a partial refund to someone who has paid too much for a utility).

Users are promised a "£200 discount on their energy bill" and a "£250 non-repayable Council Tax Rebate payment" if they enter their details. Any users who enter their personal details to "set up a direct debit" into the fake Ofgem site will most likely be targeted for follow-up attacks by the cybercriminals, which could include identity theft, fraud, and account hijacking.

Figure 2: Ofgem-themed 'Energy Bill Rebate' phishing page

The phishing page used the following URL: hxxps[:]//ofgem-rebates[.]com/gov/page-1[.]php. The website was registered via PublicDomainRegistry (d.b.a PDR Ltd) and hosted on an IPv4 address: 91[.]235[.]116[.]232 at THCPROJECTS (AS51177), a web host based in Romania. Using the Passive Domain Name System (DNS) feature of OTX Alienvault (see Figure 3), it was possible to uncover four other 'Ofgem Energy Bill Rebate' themed phishing pages (see the IOCs section below). The domains were all created within a similar timeframe and used a similar naming pattern. We can assess with high confidence that these were created by the same threat actor. 

Figure 3: pDNS discovery of Ofgem-themed domains

The Ofgem-themed campaign is currently in its early stages and has not been reported on yet. As an infosec and anti-fraud community we should anticipate more energy price related campaigns. Any major event or news cycle is often quickly leveraged by cybercriminals and this is just the latest one. 

Some analysts reading this may have also noticed that the same IP address used for this Ofgem-themed campaign has also been recently used in the month of May for hosting other phishing pages posing as Santander Bank and Facebook, among various other brands. This could mean that THCPROJECTS (AS51177) is a preferred Romania-based host for phishing threat actors. This, however, is not a good indicator that the threat actors responsible are Romanian, as anyone from anywhere can pay to host a site with this host.


Indicators of Compromise (IOCs)

  • info[@]rebate-ofgem[.]com
  • ofgem-rebates[.]com
  • ofgem-energy-rebate[.]com
  • rebate-ofgem[.]com
  • ofgem-register-rebate[.]com
  • ofgem-rebate[.]com
  • 91[.]235[.]116[.]232
IOCs are also available on OTX Alienvault here.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more