article featured image


In the world of online security, two things are clear: phishing remains a top threat, especially against online shoppers, and the cleverest attacks still target payment processors and financial companies. 

This week we observed a new Nets.eu phishing campaign, designed to piggyback off the popularity of this major company that provides the acquiring agreements for merchants to accept online payments. 

Instead of sending off compromised emails with phishing links that seem to appear from online stores or banks, malicious actors now move deeper in the payments processing link in the hopes of tricking users to willingly give up their login credentials. 

Nets, one of the biggest payments processors in Europe, has constantly seen its name hijacked and used in phishing scams. Just how big the scope of the issue is? 

So far, out of the tremendous number of compromised domains blocked by Heimdal™ Threat Prevention, our researchers have observed 1535 domains containing variations on the name “Nets”, a lot of them with .dk or .de extensions to lend “legitimacy” to the URLs.  

The way this phishing attack is structured, it can fool even educated internet users.  

First off is the original malicious email, which alerts the receiver that Nets recorded a suspicious payment made outside of Denmark. It also prompts the receiver to take action to cancel a transaction and get a refund. 

To add even more legitimacy to the scam, the email even includes a CVR number, the unique identifier for any business registered in Denmark’s Central Business Register. However, a quick eye might notice bits of broken HTML code preceding that CVR number. 

Once clicked, the user is taken to “netsbeskytte.life/index.html” (a website quickly taken down once the email was flagged as spam) and asked to input their credentials. This page is the same whether visiting HTTP or https, which can prompt some browsers to disregard its malicious nature. 

Because it looks like a private portal hosted by a financial company, users don’t expect the URL to look particularly user-friendly, so they would go along with inputting their personal information in the fields.  

On Chrome and Firefox, the browser makes it clear that the user should proceed no further.  

On Internet Explorer, however, there is absolutely no alarm drawn over the lack of a security certificate or the potentially dangerous URL.  

This is doubly problematic since a lot of Outlook users leave Internet Explorer as a primary browser. 

As phishing continues to grow at an exponential rate, we urge online shoppers (and everyone else!) to exercise double caution in clicking any link received via email. If that link redirects to a page that demands your login, open a separate browser, Google search the service in question and perform the operation from the legitimate website 

As an extra rule of thumb, be extra suspicious of any email that comes from a bank, a payment processor or an online store, especially if it tries to warn you of fraudulent payment.  

Because attacks like this one come and go with incredible speed, with malicious websites being taken down and reuploaded on a different address as soon as a security researcher discover them, it’s important that users know how to prevent phishing. 

We put together these 4 resources to learn to protect yourself from phishing and other online attacks designed to obtain your sensitive information: 

*This article features cyber intelligence provided by CSIS Security Group researchers.

Author Profile

Ana Dascalescu

Cyber Security Enthusiast

The Atlantic wrote about cyberflâneur and I think that's the best way to describe myself. Or maybe a digital jack-of-all-trades with a long background in blogging, video production and streaming. I spend my waking hours snooping through online communities of all types, from Reddit to security forums, from gaming blogs to banal social media platforms like Instagram. Sometimes I even contribute to those communities.

Leave a Reply

Your email address will not be published. Required fields are marked *