Allegro is again targeted by cyber criminals. Actually, Allegro users. Hackers send emails impersonating this well-known e-commerce platform. Under the guise of having to log into the site, they steal user data.
History happened to one of our readers. This is not the first and probably not the last attempt to impersonate Allegro. Congratulations on your perceptiveness, even at this stage, and thank you for informing the editors. Let's quote the email we received:
just a moment ago I received such an e-mail and to be honest I even got fooled by it, namely I clicked on the link ACCEPT. Only after entering the login and password, I realized that the address in the browser does not belong to Allegro. Of course, I immediately changed the password to my account in allegro.
The page that opened after clicking on ACCEPT is really confusingly similar to allegro and that confused me. Maybe it's worth warning others …
False change of regulations
Morning hours. A message arrives at the company's inbox that does not arouse suspicion. Oh, another information from Allegro and changes in the regulations. They only ask you to log in and accept the new arrangements.
You can see some inaccuracies right away, but let's not blame our reader for not noticing the fraud at this stage. Not everyone looks perfectly at all the small details in each email, the more that probably a lot of messages come to the inbox of the store and you can fall into a routine or just hurry up with work.
Theoretically, the content of the e-mail is beyond doubt, except for two typos. No spaces between the words 'carry out the standard' and the petiole in the word 'ACCEPT'. There are probably no other major mistakes. At least from the language correctness side. Many similar emails are written like on a knee by a half-literal alphabet and you can feel a fake from a kilometer. For this, the request to accept the regulations after logging in (with the emphasis on its routine) is a strange practice.
It's hard for us to say what it's like for companies. But private users only have information about new conditions and automatic consent. Only the lack of willingness to accept changes must be associated with action on their side. In addition, the phrase "we are forced to carry out standard acceptance" does not quite stick to the image.
Lipne Allegro not for Chrome and Firefox
Just click "ACCEPT" and you will be transferred to Allegro. At least a site very similar to it. Our reader noticed the mistake only after entering the login and password, but soon changed the login details. Well, probably at the last moment.
After a moment of checking, it turned out that the link is already in the crosshairs in some web browsers. The Google Safe Browsing filter (checks whether the URL is trying to impersonate another known address) effectively blocks attempts to access this very suspicious address at first glance – allegro (dot) pl-Nowe-regulamini7913 (dot) uhu362 (dot) com / 3219 /
Users of Google Chrome, Safari, Firefox, Vivaldi and GNOME Web will receive an appropriate message about a phishing attempt. After noon tests on Firefox, Chrome, Opera and Edge showed lack of resistance of the last two browsers. The page was loading normally. A moment before the article was published, we checked the mechanisms again and Opera was already successfully filtering the page, Edge still not.
A case with a Russian thread
Let's go back to the email for a moment. Recently, we reported about a similar procedure, but aimed at potential customers (and even random people, after all, our editorial office does not have the service described, and we got such a surprise directly in the company inbox) of Pekao S.A. and offers from Pekao24Makler. At that time, the address did not arouse suspicion, because the message allegedly came from Pekao24@pekao.com.pl. It was only in the source that the real sender was visible.
The case from Allegro is less well thought out, because the notifications @ allegrom appear immediately (dot) pl. An email with a small note of one mismatched letter, though it's not a monster like the address of the page itself. A moment of checking and we learned that cybercriminals registered their mailbox (or at least its allegrom domain (dot) pl with IP 220.127.116.11) on the Polish website Domeny.pl, and the portal pretending Allegro sits on the resources of MAROSNET Telecommunication Company LLC (marosnet.ru ) and has IP 18.104.22.168.
Let us not let others rob us
The interference of the relevant authorities will be simple on the occasion of the mailbox, however, the procedures taken to disable the site may take much longer due to placing it on a foreign Russian server. We will forward the matter to Allegro.
In such cases, it's worth interfering quickly and not only not to be fooled yourself, but to notify the appropriate authorities (the company that the impersonators are impersonating, the police or, as in our case, our editorial staff). This could save some more potential victims from phishing sensitive data.
What could have happened next? Take control of the account. Our reader's company would continue to display and sell its product range, and probably money after swapping the bank account details would end their journey with cybercriminals. Although it could also end up displaying illegal (originating from theft) items on the side or other unpleasantness.
Allegro is well aware of such attempts to phishing login details. That's why he introduced the two-step login method. In addition to the login and password, a one-time unlocking number with SMS is given. The function is not required, but its activation significantly increases the level of security. Logging on to another computer or even a new browser will trigger a PIN query with an SMS. Basic data alone is not enough to take control.
It's worth using additional authentication methods. Currently, players have a lot of good in this field, because the required additional code can be turned on e.g. in Steam or Epic Games Store. It is not always the PIN from the SMS. It can also be a string of characters received by email or a mobile application. In addition, the mechanism can usually be activated in two ways. As an option for each request for this verification method or only when logging in to a new device.