A new phishing campaign targeting Indian banking customers has been discovered where phishing sites collect victims’ banking credentials and personally-identifiable information (PII). After the details are stolen, an Android SMS forwarding malware is downloaded to their devices as well. This was discovered by CloudSEK’s Threat Research and Information Analytics, which discovered several domains working on the same template.
The phishing attempt starts when victims arrive at the malicious websites through some means, usually through social engineering. Attackers could send the link to the sites in an SMS that is made to look like it is coming from a bank or other service provider. They typically create a sense of urgency so that users don’t take time to think before clicking on the link. Such domains identified by the researchers pose as fake complaint portals.
Once users fill out their sensitive banking information like card number, CVV number and expiry date on a fake complaint portal created, a malicious customer support application named Customer_Soppor_Srvice.apk gets downloaded to the user’s device. Sometimes, users are given a fake customer support ticket and told to install the app to track the progress of their complaints. When it is being installed, the APP asks for two permissions to send and receive SMS.
After installation, the malicious application is then used to send all incoming messages on the victims’ phones to the servers controlled by the scammer. The attackers haven’t used logos or names of Indian banks in order to avoid attracting suspicion and detection. The malicious app is not hosted on the Google Play Store or any third-party application stores.
An analysis of the application’s source code revealed that the malicious application is based on an open software Github project called “SMS-Forward.” Scammers can leverage the combination of the information they get and the OTP from the users’ phones in order to conduct unauthorised banking transactions and other malicious actions.
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘444470064056909’);
fbq(‘track’, ‘PageView’);
