Akankasha Dewan 05 October 2020 19:39:15 AEDT 4 MIN READ

Caution: Multi-staged phishing scam impersonating TPG asks users to “update” payment details

 

Telecommunications giant TPG has been embroiled in a phishing email scam designed to harvest confidential data of users.

Titled “important !”, the email uses the display name “Tpg Telecom” and includes the company’s branding and logo. The email address used in the “from:” field appears to spoof a support account belonging to TPG. The email actually originates from a third party service called register.com. It informs users of a “problem” with their “current payment method” and advises them to update their payment details or risk “a delay” in their service. A button is provided for them to so, and the email ends with a footer containing TPG support details. Hovering over the button reveals the usage of a link shortener – likely an attempt to hide the true destination of the malicious link.

Here is what the email looks like:


TPG_0510

Unsuspecting recipients who click on the link to update their payment details are led to a legitimate-looking copy of a TPG login page. Just like in the email, the company’s logo and branding are employed. However, the domain used in the page’s URL doesn’t belong to TPG. Instead, it appears to be hosted on a compromised website in Europe. There is also a stray PHP tag (“?>”) towards the bottom of the page.

TPG2_0510

This is a phishing page designed to steal users’ details. Once they submit their login details and “sign in”, their username and password are harvested for later use, and they are led to another page asking for credit card information, as per the below:

TPG3_0510

Similar to the login page, this page also employs TPG’s logo and branding, and contains details typically expected of a well-established company like TPG, like a field validation feature that is used to detect a legitimate credit card number.

Once users enter and submit their credit card details, they are led to a page asking them to input a verification code, which never arrives.

Cybercriminals behind this scam have incorporated multiple elements to boost this email’s credibility. These include:

  • use of a major brand name to inspire false trust; using “Tpg Telecom” as the display name, along with a sender email address using TPG’s domain boosts the email's credibility,
  • usage of multiple security features like a verification code that are typically expected of legitimate notifications from a well-established organisation like TPG,
  • inclusion of high-quality branding elements like TPG’s logo & branding in the phishing pages that are typically present in pages from the company and,
  • an alarming subject and body; informing recipients in an email titled "important !" that their service may be ‘delayed’ creates a sense of urgency and anxiety, motivating users to take action immediately without checking on the email’s authenticity.


Despite these techniques, eagle-eyed recipients should be able to spot several red flags that point to the email’s illegitimacy. For instance, the user isn’t addressed directly in the email, the presence of the stray PHP tag (“?>”) at the bottom of the email, and the fact that the email's subject contains spacing errors. In addition, while the display name used is “Tpg Telecom”, it is spelled incorrectly (TPG is spelled with all uppercase letters) – a huge red flag that should raise suspicion about the email’s legitimacy.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

TPG recommends the following tips to keep your TPG account secure:

  • Regularly scan your computer for viruses and malware.
  • Be cautious about using an untrusted computer to enter your TPG login details.
  • On request, you can add a passcode on your TPG account over the phone. We will then ask for this passcode for all phone calls we receive in relation to your TPG account.
  • Never share your passwords or usernames over email, instant messengers or social media. If you need to record any password or username, write it down on a piece of paper and keep it somewhere safe.
  • Do not use the same password for multiple websites.
  • Update your TPG password regularly.
  • When setting up your TPG password, you should avoid using the following:
    • Obvious words such as “password” or “qwerty”
    • Your TPG Username or Customer ID
    • Your name or names of your family and friends
    • Using sequential letters and numbers such as “abcde” or “12345”

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates