A new phishing campaign targeting Indian banking customers has been uncovered where phishing sites collect banking credentials and Personally Identifiable Information (PII) from victims. Once the details are stolen, Android SMS transfer malware is also downloaded on their devices. This was discovered by CloudSEK’s Threat Research and Information Analytics, which found multiple domains working on the same pattern.
The phishing attempt starts when the victims arrive at the malicious websites by some means, usually through social engineering. Attackers could send the link to the sites in an SMS purporting to be from a bank or other service provider. They usually create a sense of urgency so that users don’t take time to think before clicking on the link. Such domains identified by researchers present themselves as bogus complaint portals.
After users fill in their sensitive banking information such as card number, CVV number and expiration date on a created fake complaint portal, a malicious customer support application named Customer_Soppor_Srvice.apk is downloaded on the user device. Sometimes users receive a fake customer support ticket and are asked to install the app to track the progress of their complaints. When installed, the APP asks for two permissions to send and receive SMS.
After installation, the malicious app is then used to send all incoming messages on victims’ phones to servers controlled by the scammer. The attackers did not use Indian bank logos or names to avoid raising suspicion and detection. The malicious app is not hosted on Google Play Store or third party app stores.
An analysis of the app’s source code revealed that the malicious app is based on an open source Github software project called “SMS-Forward”. Scammers can leverage the combination of the information they obtain and the OTP of users’ phones to perform unauthorized banking transactions and other malicious actions.