5

Sometimes I realize that I receive phishing emails just after doing some operations on the web.

For instance, I was trying to pay taxes from my bank account (website was trusted 100%, I checked the signature), just after a few minutes I receive a phishing email from bank with a fake email address.

Timing was very close with this operation I have performed. I had the same feeling in the past with other phishing emails, but I always thought was just a case. I wonder if there are some way / chance that this is not just a coincidence.

schroeder
  • 129,372
  • 55
  • 299
  • 340
giuseppe
  • 151
  • 2
  • Targeted phishing might be a sign of "business email compromise", but I'm not sure if this applies to your case. But it might be some kind of phishing that is leveraging an infection on your machine, in order to make the emails more targeted and increase the chance of success. – reed Jul 08 '20 at 20:05
  • 3
    How did you navigate to your bank website? – Ángel Jul 08 '20 at 23:42
  • I was trying to pay universitiy fee. My University website redirected me to the paying service through bank. I was using Chrome but had to move to Edge. I repeated the procedure with Edge, logged in via University webpage etc. and just after few seconds I received the email. My bank account has a differen email registered. But the email where I received scam is a 15yrs old hotmail.it (Microsoft domain) the one I log-in with windows services. – giuseppe Jul 10 '20 at 21:07

3 Answers3

4

The key question is whether this is systematic and repeatable or not. Does it happen every time you visit your bank or even most of the time? If not, it's more likely you are dealing with a psychological phenomenon called confirmation bias. People tend to search patterns in everything, including random occasions.

Considering the amount of spam & scam email you get and the number of sites you visit it's probable you occasionally get a matching email right after visiting a site. Most of the time there's no correlation whatsoever, but the confirmation bias makes you ignore those occasions and concentrate on the coincidences.

I believe people here can come up with most imaginative explanations of different kind of possible ways your browsing could be compromised – and those are real mechanisms, too. However, the confirmation bias is a more probable explanation. Building targeted attacks like this would take a lot effort compared to any possible profit. Sending those phishing emails to random addresses is already profitable enough. Adjusting the scam based on browsing patterns wouldn't simply add anything, e.g. it does not increase reliability.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
0

The only ones knowing you were visiting the bank's website were you and, well, the bank.

So, assuming the bank hasn't been hacked and the HTTPS communication can be trusted, what other information might have leaked?

  • DNS query. When you connect to www.securesite.baz, a DNS query goes out (in the clear) and can be sniffed - for example - by your WiFi router. There have been instances in the past of routers that had been hacked, not so much as to be blatant, but enough to grass on their users' movements back to their command-and-control network. The next step is trying to hijack the DNS query altogether, but that's doomed to fail with all the new security measures in browsers against MitM attacks.

Do these occurrences happen only when you browse from a specific network (your home network, your phone's mobile data network, ...?).

  • resource URI snooping. Some browser extensions can request read access to the URI of network requests for "safe" media types - but if I see "https://www.securesite.baz/static/img/logo.png", that also tells me you've been visiting securesite.baz.

Does this happen with every browser? Consider disabling all extensions or researching them on the Internet.

  • indirect URI snooping. Most "invisible" malware hasn't enough access power to read your network calls, much less SSL system calls. But the browser caches a lot of information in known places that are accessible at the user level - both Firefox and Chrome keep much of that in a convenient SQLite format - so I can get some inkling of where you're navigating with you being none the wiser.

Can you try navigating with a new and trusted device from the same insecure network and see whether this elicits a phishing run or not?

One way of investigating might be trolling for bank sites. Run a search on all nearby banks and visit all their sites. Most low-access, light-fingered malwares won't be able to tell between a visit to the bank's privacy policy page and the opening of a juicy account. You can note down which sites you visited, how, when, and with which browser, and then see what comes out of the mailbox.

LSerni
  • 22,830
  • 4
  • 52
  • 60
  • It's possible that OP's visits to his bank's web site are also picked up by third party scripts installed on the site, such as those used for Google Analytics, Facebook Like Buttons, etc. – mti2935 Jul 08 '20 at 22:40
0

I can see two causes in this question.

  1. The emails may not be sent by someone, but can be locally created and sent if it bumps to a (some) trigger so its easier to monitor you, while the data itself can be remotely transferred to the thief, in this case your PC might be infected.

  2. You only think the time or site is corresponding with the fake email received, while in fact it may be actually received much later or it has nothing to do with your actions on the web.

CriticalSYS
  • 194
  • 1
  • 13