Real Estate Phishing Scams…Part 2

Part 2

In part 1, we looked at the trend of phishing attacks targeting the real estate business, including home buyers who unwittingly wired money (millions) to criminals. Recently, CNBC reported the story and followed up with an interview of PhishMe® CEO and Co-founder Rohyt Belani.

In part 2, let’s look at a few more real estate scams that the PhishMe team has seen.

“Kindly view and acknowledge…”

This first example was a phishing email with a link for the recipient to click and review a loan Closing Disclosure (“CD”) prior to funding. The link went to a phishing page spoofing the major webmail service providers, Microsoft, AOL, Google, and Yahoo.

The phishing page was hosted on a domain name registered the same day that included the term CD in the name: swefcdsdsgfd[.]com. The domain name appears to have been registered using a compromised email account. The stolen credentials were collected by ojewire@yandex[.]com, who also deployed the same phishing kit on the same day at werfdswdment[.]com.

A message from your friendly mortgage loan officer.

This one was a phishing message purporting to be from a mortgage loan officer. It had an attachment that was removed by the time we received it. The attachment could have been a PDF with a link to a credential phishing page, or it could have been malicious software seeking to take control of the victim’s computer.

Your mortgage offer has been amended.

Here’s a phishing message suggesting that the recipient log in to review an amended mortgage offer. The link led not to a Halifax login page but to a spoofed Outlook login page hosted on a compromised server.

“Please attend to this ASAP.”

Our final example was a phishing attack where the threat actor tried to give the message credibility and urgency. The attacker did so by making it look like it was forwarded from someone legitimate, who wanted prompt attention.  The “friendly” name of the sending email account spoofs a large brokerage company’s customer support team.

The simple message added was “Please attend to this ASAP,” and the seemingly-forwarded portion contains instructions to log in to DocuSign to review the “Revised mortgage.pdf.” However, clicking the link takes the victim to an “Office 365 Exchange Online” login page.

In real estate as elsewhere, attackers leave no stone unturned. With nationwide home prices still trending upward, there’s a lot of money on the line—and scammers are coming at it from every possible angle.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

Threat Actors Put a Greek Twist on Ransomware with Sigma
“All-in-One” Phish Gives Malaysians a Choice…of Phony Sites

Leave a Reply