A new phishing campaign has been discovered targeting Indian banking customers in which phishing sites collect victims’ banking credentials and personally identifiable information (PII). After the details are stolen, an Android SMS forwarding malware is also downloaded on your devices. This was discovered by CloudSEK’s Threat Research and Information Analytics, which discovered multiple domains working on the same template.
The phishing attempt begins when the victims reach the malicious websites through some means, usually through social engineering. Attackers could send the link to the sites in an SMS that appears to come from a bank or other service provider. They usually create a sense of urgency so that users don’t take time to think before clicking on the link. Such domains identified by the researchers masquerade as fake complaint portals.
Once users fill in their sensitive banking information such as card number, CVV number, and expiration date in a fake complaint portal created, a malicious customer service app called Customer_Soppor_Srvice is downloaded onto the user’s device .apk. Sometimes users receive a fake customer support ticket and are asked to install the app to track the progress of their complaints. When it is being installed, the app asks for two permissions to send and receive SMS.
After installation, the malicious app is used to send all incoming messages on victims’ phones to servers controlled by the scammer. The attackers have not used Indian bank logos or names to avoid arousing suspicion and detection. The malicious app is not hosted on the Google Play Store or any third party app store.
An analysis of the app’s source code revealed that the malicious app is based on an open software Github project called “SMS-Forward”. Fraudsters can take advantage of the combination of the information they obtain and the OTP from users’ phones to conduct unauthorized banking transactions and other malicious actions.