Phishing with fake automobile brochures
The used car trade is booming like never before—especially online. The multitude of platforms and digital marketplaces makes business easier, but also attracts criminals. Prospective buyers are always potential targets for fraudsters who use increasingly sophisticated scams to try to obtain money or sensitive data. One particularly dangerous scam is phishing with fake car catalogs. Victims receive seemingly professional offers in the mail, but these are actually the work of organized cybercriminals.
Dream cars become a trap
Phishing with car catalogs is a targeted and professionally executed scam in which supposed car dealers—usually in the name of well-known brands such as Audi, Mercedes, Volkswagen, or Sixt, or sales portals—send out deceptively genuine brochures. These can be PDFs or links to websites. The aim of such fraudulent activities is to lure potential buyers with particularly low prices and persuade them to pay deposits, fees, or down payments.
These brochures usually contain detailed information, vehicle images, and promises regarding equipment, maintenance, and condition. Very often, apart from the contact information, these catalogs are at least seemingly identical to actual, authentic brochures from the respective providers. The offers shown are then intended to encourage the purchase of non-existent vehicles.
In the automotive industry, vehicles are repeatedly offered from the area of discounts, so-called company property, or as short-term bargains from “warehouse surpluses.”
Source: urlscan
From bait advertising to money transfer: the typical process
The scam usually unfolds in several stages:
It starts with an advertisement or catalog. However, very often the scam begins with a phishing email with a car brochure attached. The criminals pretend to be reputable dealers, exporters, or manufacturers.
The cars on offer either do not exist at all, or the advertisements have been posted online using stolen photos and data. Very low prices and the prospect of a quick, uncomplicated transaction are used to persuade the victim to conclude the deal quickly.
The criminals then express their interest and send buyers fake purchase contracts, official-looking documents, invoices for alleged parking fees, shipping costs, or deposits. Finally, they demand that the money be transferred to foreign or private accounts. As a rule, the vehicle described and the supposed contact persons do not exist – after payment, contact is abruptly broken off.
The dangers are considerable: victims of phishing attempts often lose several thousand euros – and the chance of getting their money back is usually slim, as the recipient accounts or payment methods (such as Western Union, fake escrow services, or anonymous payment service providers) have been deliberately chosen to cover their tracks.
How can I protect myself from phishing with car catalogs?
As a general rule, you should be suspicious if you receive a brochure or offer that you did not explicitly request. Unusually low prices, requests for advance payments, or fees for shipping or deposits are also unusual and indicate fraud.
Checking sender addresses and domains can also be crucial: Fake addresses or addresses that look very similar to the actual domains are a good indicator for recognizing phishing. To detect fraud, it is therefore very important to carefully check the sender’s email address.
If in doubt, we recommend contacting the company via officially known contact channels.
As this detailed analysis on MSXFAQ makes clear, it is difficult to use domain reputation checks to detect this type of phishing. The example cited shows that the criminals configured a strict SPF record, a valid DKIM signature, and a DMARC policy for the domain “autoland-gebrauchtwagen.de.” These entries were also configured for the real domain “autoland.de” – however, even DMARC p=reject and spf=-all do not help if the attackers simply use a similar-sounding domain.
URL Safeguard blocks dangerous links
The best way to prevent such attacks in the future for yourself and others is to report them–conveniently in NoSpamProxy via the web app or the NoSpamProxy Command Center. This allows the respective links to be blocked or placed on block lists, which prevents further attacks.
The URL Safeguard in NoSpamProxy, in conjunction with the 32Guards metadata service, ensures that access to links is prevented if they are identified as malicious after delivery. This time-of-click protection makes it possible to recheck links in emails each time they are clicked.
If the PDF files sent by criminals contain malware, the content filter in NoSpamProxy protects against this with content disarm and reconstruction: attachments in PDF, Word, and Excel formats are converted into non-critical PDF files automatically and based on rules. In addition, active content (JavaScript, Flash) is removed from PDF files. This ensures that the recipient receives an attachment without malware or ransomware.
Not yet using NoSpamProxy?
With NoSpamProxy and the 32Guards Sandbox Service, you can reliably protect your company from dangerous phishing emails and benefit from many other security features. Request your free trial now!
