OP 10 November, 2024 - 09:04 PM
As the winter season kicks in, scammers are not missing the chance to target senior British residents with bogus "winter heating allowance" and "cost of living support" scam texts.
The scam campaign is opportunistic given the UK government's recent controversial stance on cutting winter fuel payments from approximately 10 million pensioners across Britain.
Lookalike GOV.UK pages
Scammers are seen texting British residents this week with bogus "winter heating allowance" texts, prompting them to visit illicit domains that collect personal information and payment information from unsuspecting people.
The development is worrying given the recent news of the UK government making changes to the current Winter Fuel Payments program aimed at helping pensioners born before 23 September 1958 with the costs of keeping their homes warm during the cold season.
Every year, the UK Department for Work and Pensions (DWP) provides Winter Fuel Payments to assist people of pension age with heating costs. Recently, however, the Government announced plans to reduce the number of people who qualify for this credit—around 1.5 million pensioners, a sharp decline from 11.4 million who received it last year.
BleepingComputer has come across such misleading scam texts this week prompting you to "fill in the application form as soon as possible" so as not to miss out on these payments.
Winter fuel payment scam texts sent to UK residents
(BleepingComputer)
One such text sent to us from +44 (0) 7908 408671 cautions the recipient with a "last notice" to respond before November 12th so that they timely receive their winter fuel credit.
The text urges the recipient to click on a link, leading them to a lookalike GOV.UK page:
Please note that the government has decided that the Winter heating_allowance and Cost of Living_support for 2024 have been fully implemented, you have met the requirements, please be sure to fill in the application information as soon as possible, we will release the money to you within 3days, please note that check, this will be the last notice to you, the online application channel deadline is November 12.
hxxps://bit(.)ly/40Ku5d7?...
Thank you for your cooperation.May you have a wonderful and warm winter.
The URL forwards the recipient to a webpage hosted on the domain noticesgove[.]top which appears to be a GOV.UK page on mobile devices. The domain name comprising the phrases, "notices," "gov," and "e" are all likely an attempt, albeit an unrefined one, to make it appear authentic.
These phishing pages first attempt to persuade the recipient into handing over their personal information, and then ask for payment details.
Interestingly, the threat actors made an error. BleepingComputer observed that the "Cardholder" (Name) field on mobile devices accepts only numerals for input, much like a credit card number.
Fake GOV.UK pages hosted on the scam site
(BleepingComputer)
Around 600 unique domains identified
Cybersecurity researcher Jake also shared with BleepingComputer a list of 597 unique domains related to this campaign, which speaks to its scale and the effort invested in it by the threat actors.
https://x.com/JCyberSec_/status/1851309505004331029
Clever campaign works only on mobile
The phishing website is clever in that it only serves the bootleg GOV.UK pages on mobile devices.
Attempting to access the noticesgove[.]top domain from a computer presents the user with the following screen, stating that the domain in question is for sale:
Fake "domain name... is for sale!" screen shown to PC users
(BleepingComputer)
UK Police's Regional Organised Crime Unit (ROCU) Network has warned pensioners to beware of scam texts claiming to be Government departments and offering winter heating subsidies.
"Scam text messages talking about winter heating subsidies, and other support is being sent claiming to be from the Department of Work and Pensions and the Home Office to try to trick unsuspecting recipients into believing they will receive a heating subsidy," states the police unit.
"The scam includes a link that directs users to a fake government website designed to gather personal information."
"The messages contain links where you may be asked to provide personal details or make a payment."
People should refrain from clicking such links and from providing personal information or payment details.
Scams like these can be reported to the National Cyber Security Centre. Suspected scam texts should be forwarded to 7726 (which spells 'SPAM' on an alphanumeric keypad), to initiate a report to your mobile service provider for investigation. Phishing emails can be forwarded to [email protected]. Users may also opt to report scams to Action Fraud.
Update, November 10th, 2024 05:05 AM ET: Added a section on around 600 domains being associated with the campaign.