Cofense researchers have discovered the attack against users of Stripe, a company that provides electronic payment processing. According to researchers, the attack on electronic phishing is not just about stealing data users, but also to trick them into sharing their financial information.
Initially, the attackers send emails to users, which appear to come from Stripe, informing them that their account details are invalid. The malicious agents have made the design of this message quite clever as it distorts the sender's identity as 'Stripe Support'. They have also replaced the "Examine your information" button where users can click on e-mail, with an HTML title tag. This prevents the user from seeing a preview of the embedded link.
By clicking the "Review" button, the user is taken to a malicious site that contains a number of web pages. The first page asks for the credentials, which then leads to another website, asking for the bank account number and users' phone number. The last page redirects the victim to the actual Stripe website to avoid possible crawling.
Be always cautious
While most of the phishing campaigns attract users via email, the technique is not limited to emails. The Criminals use various tricks in the media as well.
To avoid such attacks, users should be careful with all messages they receive, asking them to enter any information. It is possible that an incoming email is part of a phishing attack, unless it is a response that you really expect from a company. For example, the verification / login message you receive when you reset your password to any account in Internet.
Simply put, whenever you receive an email alerting you of a suspected / failed login attempt, expiration / verification / authentication of account or any other matter, try to confirm the source mentioned in the email otherwise. For example, you can call your bank to verify if the message you receive is from them or to contact customer support, such as Microsoft or the Instagram, to validate the message. If you are not sure of the authenticity of an email, it is best to avoid replying.