Mobile Banking Users May Need to Watch Out For Messages They Open Next

  • Hackers were found using an automated off-the-shelf SMS tool to create unique fake messages for customers of different banks.
  • The campaign allegedly began in June last year but is currently offline.

Recently, researchers reported a worldwide phishing campaign that aims to obtain bank-account details of potential victims through SMS-based phishing attacks.

What happened?

Hackers were seen using SMS messages as a bait trap their target in disclosing their bank-account access credentials.

  • As described, it impacted mobile users in dozens of countries, including the US.
  • The target were also observed to be the customers of Chase, HSBC, TD, Scotiabank, and CIBC banks.
  • The campaign allegedly began in June last year but is currently offline.

Key findings

According to an official from the research team, this should be considered as a warning for mobile users.

  • The research vendor said it detected at least 4,000 unique IP addresses of mobile users who seemed to have fallen for the scam.
  • It wasn’t clear how the victims were impacted financially from the attack because there’s much less known about how the attackers may have used the compromised credentials.

"The attack was entirely mobile-focused, from delivering messages via SMS to rendering the phishing sites as mobile banking logins," said the official.

How does the campaign work?

As concluded by the experts, attackers took to the spray and pray attack method.

  • Threat actors reportedly spoofed the login pages of various banks in an effort to capture credentials and other personal information.
  • They’d also ask victims to answer the security questions for verifying the user's identity as to make it look authentic.
  • Hackers used an automated off-the-shelf SMS tool to create unique fake messages for customers of different banks.
  • Lastly, they would send the text message out in mass volume.

Researchers have so far identified over 200 phishing pages imitating bank login pages that were used in the campaign.

Mobile threat on the rise

Mobile phishing has always been an attractive attack vector because these are frequently used devices, as well as often easier to obfuscate details of a scam.

  • With multi-factor authentication too, SMS poses significant threat to consumers since banks now communicate with them via SMS services.
  • Users are therefore less likely to scrutinize the messages they receive from hackers, which might be camouflaged as credential stealing malware.
  • Nowadays, mobile devices hold the maximum amount of sensitive data for most of the users, if not all.

Who’s behind this?

Such malware kits are easily available to the threat actors on the dark web and other hacking forums. Though experts couldn’t point at a particular threat group behind the campaign, it suggested “sophisticated group” who knows how to launch an off-the-shelf phishing kit.