Iceland has suffered its largest ever cyber-attack after a sophisticated phishing scam targeted thousands of the country’s residents.
According to researchers at Bleeping Computer, victims received an email from what appeared to be the Icelandic Police Force, informing them that they were required to come in for questioning by the police on October 30th.
Victims were told that failure to comply with the request would result in the issue of an immediate arrest warrant.
The scam appeared entirely convincing as the criminals used a variety of methods to cover their tracks and reduce the chance of detection.
Within the email was a link directing users to what appeared to be the official Icelandic police website. The official police web address is logreglan.is, but the web address used in the email is logregian.is.
By capitalising the ‘I’ in the address, the hackers were able to make it look like a legitimate domain and almost indistinguishable from the real site.
This common tactic is frequently used by hackers as the closer they stick to the official spelling of a website, the greater the chance of more people falling for the scam.
Upon clicking the link, users were directed to the cloned website and asked to enter their social security number (SSN). This is normal practice in Iceland and to provide confirmation of their SSN, users have to log in via their online bank accounts.
In a further twist to the scam, it appears the criminals were able to verify the social security numbers without using a bank’s services, possibly by cross-referencing the numbers with a previously leaked database of SSN’s.
Victims were then presented with a file to download and told it was a document containing further information on their alleged offence.
As is the case with all these scams, the file was malicious, and this particular file contained a keylogging software used to steal banking details and online passwords.
The information was fed back to servers in Germany and Holland, but police believe that the text used within the email and website points to someone familiar with the Icelandic administrative system.
The malicious website has since been shut down but it’s still unclear how many people have lost money or had their details stolen in the attack.
The email is thought to have targeted thousands of Icelandic residents and with a population of 350,000, this makes it the country’s largest ever cyber-attack.
Victims have been instructed to change all their passwords and have their computers thoroughly cleansed of any malware.
To reduce your chance of falling for a phishing scam, you should never click on links or download attachments from unknown sources. Reputable organisations will never ask you to send sensitive information via email, so you should always treat any emails that ask you to provide this information with extreme caution.
MetaPhish has been designed to provide the first line of defence against phishing and ransomware attacks. Contact us for further information on how we can help protect your business from this growing threat.