fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

HMRC Phishing Scam Abuses Mail Service To Bypass Spam Filters

HMRC Phishing Scam Abuses Mail Service To Bypass Spam Filters

Threat actors are exploiting legitimate SendGrid mailing service to spoof HMRC phishing emails that bypass spam filters.

The known issue has been repeatedly exploited by scammers to evade detection from email security products, yet no concrete solution has been found yet.

Email delivery service abused for spoofing HMRC emails

SendGrid is an email delivery company providing infrastructure for sending out newsletters, promotional emails, and operational business emails such as shipping notifications.  

While SendGrid is itself a legitimate service, threat actors have been abusing some of its features to bypass spam filters and email security products.

A security researcher known as TheAnalyst shared information with BleepingComputer about an ongoing HMRC phishing campaign that uses SendGrid to bypass spam filters.

Spoofed email from HMRC using SendGrid
The spoofed email from HMRC coming from SendGrid appears legitimate to spam filters
Source: Twitter

The actual phishing webpages linked to in the email imitate the HMRC and GOV.UK design.

These pages comprise forms collecting sensitive user information such as:

  • Unique Taxpayer Reference (UTR) number
  • National Insurance Number (NINo)
  • Passport Number and expiry dates
  • Driving license number, with issue and expiry dates
  • Name, date of birth, and address information

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

The phishing page is hosted on what appears to be a compromised website: https://technicalzia[.]net/tax/

hmrc phishing page sendgrid
Phishing page collects sensitive details including passport and driving license number
Source: BleepingComputer

TheAnalyst told BleepingComputer, that the “legacy” accounts provided by SendGrid made the platform open to abuse by threat actors.

“In this specific case HMRC has a good DMARC record that makes most recipients to just junk them, but when [scammers] spoof other domains that actually have sendgrid in SPF/DMARC it’s much worse,” TheAnalyst explained to BleepingComputer.

To deliver this HMRC phishing campaign to their victims, the attackers spoofed the From email field with the tax collector’s outgoing email address: [email protected]

Because the scammers are using SendGrid’s delivery infrastructure, these emails “went straight through many mail filters,” explained the researcher.

An ongoing unsolved problem

SendGrid responded to TheAnalyst‘s report stating they try to keep their platform safe against such phishing actors.

The company advised reports of any malicious emails should be made to their Consumer Trust Team so they could be investigated and actioned upon.

sendgrid reply hmrc phishing
SendGrid response to TheAnalyst’s Twitter report

However, the researcher and other Twitter users didn’t seem convinced.

“This issue has been going on for at least half a year, and they have promised to fix it at the start of next year, but I’m not very sure.” 

“We are a Fortune1000 company and marketing uses Sendgrid, but I’m doing everything I can to have those contracts terminated so we can block them in SPF/DMARC,” TheAnalyst told BleepingComputer.

The researcher’s main concern is, while SendGrid continues to tell the users they’d solve the problem via domain ownership verification prior to allowing them to send emails, it is the “legacy” accounts that get compromised and are prone to abuse by scammers.

Also Read: What Is A Governance Framework? The Importance And How It Works

Over Thanksgiving, SendGrid’s platform was abused in a massive Zoom phishing campaign according to the researcher.

Thousands of users’ credentials had been stolen as a result of the attack.

When asked for more information, SendGrid’s parent company told BleepingComputer:

“Twilio is aware of this incident and has taken steps to investigate and resolve the problem. Twilio takes abuse of its platform and services very seriously.”

“It is always regrettable when an individual or organization is the victim of a phishing attack. As a best practice, we encourage users on our platform to take advantage of existing security controls to protect their accounts, such as using 2FA and IP Access Management, and encourage email senders to take full advantage of email authentication technologies to protect their domains from spoofing.”

“Additional information on best practices for protecting email accounts can be found [on SendGrid’s blog],” a Twilio spokesperson told BleepingComputer.

As the end of the year approaches, users should remain vigilant for any HMRC phishing and smishing tax scams.

Recipients of phishing emails with any mention of SendGrid are advised to forward such emails to abuse[at]sendgrid.com, and to not click any links within them.

Update 2-December-2020:Added quotes from Twilio. 

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us