Remove “Patvirtinkite el. pašto adresą – (SB-rVjHPzRNz8Wzlp)” phishing email

Companies operating in Lithuania are reportedly being targeted by a “Patvirtinkite el. pašto adresą – (SB-rVjHPzRNz8Wzlp)” phishing attack that aims to steal their Swedbank online banking login credentials. The email is disguised as a notification from Swedbank, supposedly informing the recipient that a customer is trying to update their account, and this action needs to be confirmed by the recipient. If users interact with this email and click on the provided button/link, they will be taken to a phishing site that imitates swedbank.lt and asked to log in to their bank accounts.

 

 

This “Patvirtinkite el. pašto adresą – (SB-rVjHPzRNz8Wzlp)” phishing email is targeting companies operating in Lithuania, specifically those that use Swedbank’s services. The email is disguised to look like a notification email from Swedbank, and claims that the recipient needs to confirm an account update on their website initiated by a customer. The email has a button that users are requested to click to confirm the supposed account update.

The full email is below:

Tema: Patvirtinkite el. pašto adresą – (SB-rVjHPzRNz8Wzlp)

Sveiki,

Gavote šį laišką, nes vartotojas nori atnaujinti paskyrą puslapyje.

Norėdami patvirtinti paspauskite šią nuorodą:

Prisijungti

Su geriausiais linkėjimais,

Turite klausimų? Mes turime atsakymus.

Dažnai užduodami klausimai: https://swedbank.lt

Below is a translation of the phishing email:

Subject: Confirm email address – (SB-rVjHPzRNz8Wzlp)

Hello,

You have received this email because a user is trying to update their account on your site.

In order to confirm this action, you need to click on this link:

Log in

Best wishes,

Have questions? We have the answers.

FAQs: https://swedbank.lt

If recipients click on the button/link, they will be taken to a phishing site that closely imitates the legitimate swedbank.lt site. The text in the phishing site is copied and pasted from the legitimate site, and the design is very similar. However, the phishing site’s URL is completely different. The URL clearly indicates that it’s a phishing site, and more cautious users should immediately notice the deception.

The phishing site asks users to log in to their bank accounts using one of the five methods. If users type in the login credentials, they will be immediately transferred to the malicious actors operating the phishing campaign. The stolen login credentials would likely be immediately entered into the legitimate Swedbank website, so users will receive real prompts on their devices to confirm the login attempt. Users may not even realize what is happening because the login attempt would seem entirely routine. But if they confirm the login attempt on their devices, malicious actors operating this phishing campaign would gain access to the bank account. This could cause severe financial damage.

This “Patvirtinkite el. pašto adresą – (SB-rVjHPzRNz8Wzlp)” email has all the signs of a phishing attempt

This phishing email is not particularly sophisticated, but it may trick users who are not particularly attentive. As long as users pay attention, they should notice all the signs. The very first thing that makes it clear this is a phishing attempt is the sender’s email address. All emails sent by Swedbank will be sent from email addresses that end in swedbank.lt. This phishing email is sent from support@mail.exelensat.ladesk.com, so just by checking the sender’s email address, users should be able to tell the email is malicious.

What’s more, uses a generic “Hello” to greet the recipient, while a legitimate email from Swedbank would address them by name. The email is also written very awkwardly, indicating that an automatic translation service was used to translate the email into Lithuanian.

Lastly, even if users do not notice the signs in the email itself, they should notice that the phishing site’s URL is not legitimate. ojvr1ybr0v4uheug.tntswiftexpress.com in no way resembles swedbank.lt, so it’s an immediate dead giveaway.