This morning Malwarebytes Labs received a scam masquerading as a security alert from Uber. The alert was pretty convincing and used the kind of language we're used to seeing in genuine security emails and SMS messages. It read:
Your Uber account was recently logged into from iPhone in London. If this wasn't you, reset your password here: [URL redacted]
But what really caught our attention was that the fake security alert came from the phone number that the real Uber uses to send us messages. Of course that doesn't mean that Uber has been compromised, or that somebody at Uber is running the scam—caller ID spoofing is easy and scammers use it to make their messages appear to come from Uber.
Because it spoofed the real Uber number, the scam security message appeared alongside all the real security messages we get from Uber.
We noticed that the message was a scam because the domain name (the part of the address that ends in .com) just didn't look right. Although it contained the word "uber" it wasn't the official Uber domain name, uber.com.
We looked it up and discovered the domain name had only been created today.
Creation Date: 2021-09-24T02:13:38Z
Because scam sites get shut down very quickly, scammers get through a lot of "burner" website names that live and die within days. Most company's domain names have been around a while, so a very recent creation date is a big red flag.
Another quick check revealed that this absolutely brand new website was hosted in Russia. There's nothing wrong with hosting websites in Russia, but it isn't where Uber keeps its websites.
Confident that we were looking at a scam, we created some fake personal details, fired up a Tor browser and jumped into the rabbit hole.
The scam site
The scam site had borrowed enough Uber branding to look convincing, and like all good scam sites it had a valid security certificate and a padlock icon. A useful reminder that the padlock tells us our connection to the site is secure, but says nothing whatsoever about how secure or trustworthy a site is. Nothing.
Page one, pretty vacant
Page one asks us for our phone number. It looks good but under the hood the scammers have done as little work as possible:
- We entered a temporary SMS number instead of our real number, but it also worked without one, because the scammers don't actually care about capturing your phone number.
- The "Or connect using a social account" link looks convincing but it's fake. It isn't broken, it's just window dressing that was never designed to work.
Page two, the story changes
The next page tells us that we've been locked out of our account and need to verify our identity.
We've detected suspicious activity on your Uber account and have temporarily locked it as a security precaution.
Over the next few steps we'll ask you to verify your identity to help secure your account, and let you log back in.
Remember that the initial SMS message just told us we just had to reset our password. The scammers are slowly changing the message here because what they really want is a credit card number.
Page three, ID theft
On the next page the scam site asks for some personal details. This page could be here to steal our ID, or it could just be here to get us comfortable typing in our details, so we don't think twice when we're asked for our credit card details on the next page.
Whatever it's for, they didn't get anything useful from us. A "burner" site deserves nothing more than a burner ID.
Page four, billing details
Page four of the scam site asked us for both our credit card details and our bank account details. This, presumably, is the whole point of the scam.
At this stage it's worth recalling that the scammers originally told us we needed to change our password, and later changed the story, telling us we needed to verify our identity. Now we are being asked for "billing details" and there is no mention of verifying our identity.
The scammers are presumably hoping that we will simply respond to the cues on the page—the familiar title "Billing details" and the the usual set of credit card input fields—and won't think about how we got here.
This page is the reddest of red flags.
It goes without saying that this isn't how you verify your identity. And remember that the scammers contacted us pretending to be Uber and we "fell" for their scam because we are Uber users. Which means Uber already has our credit card details and there is no reason for us to tell them again.
Plausible-looking credit card numbers are easy to generate, so we fed the scammers some fake details and continued on.
Page five, success?
The last page of the site tells us we have successfully verified ourselves. The purpose of this page is to reassure us that everything is OK, and that nothing is out of the ordinary, before sending us to the real Uber website.
Final page, the real Uber website
The scam site's last act is to redirect our browser to the real Uber home page. The longer we hang about on the scam site the more likely we are to notice things that aren't right, so as soon as they have our details the scammers send us on our way. Sending us to the real Uber site presumably also allows us to reassure ourselves that our "locked account" now works.
How not to spot a phish
This scam is a great example of things that can help you spot a scam, and the things that you might hope would help you, but actually work against you.
Things that didn't help
- Caller ID. Caller ID spoofing is easy and you can't rely on your phone to tell you who a call or message is from.
- The padlock icon. Anyone can give their website a padlock icon, which is a good thing—it indicates you have a "secure line" to that website—but it says nothing about the website itself, and never did.
Things that did help
- The site did not use Uber's official domain name. The domain name looked plausible, but it was wrong.
- The story changed. Step-by-step the scammers had to change their story from "reset your password" to "enter your billing details" to get what they wanted.
- The scammers asked for things Uber would already know. Our familiarity with Uber is what made the scam believable, but it also give us an opportunity to spot it.
- Scammers always ask for something valuable, urgently. Although scams come in many different forms, they normally boil down to somebody asking for valuable information urgently. If somebody asks you for valuable information, urgently, and out of the blue, treat it as a red flag and take your time.
Because the scam happened in the UK, we reported it to the UK's National Cyber Security Centre (NCSC). We also added it to Malwarebytes Browser Guard, and reported to Google's Safe Browsing.
Although this site was quickly closed down, it's likely there are others, and it will be easy for the scammers to spin up many more identical replacement sites on new domain names, so please be careful!