Early this August, we wrote about cybercriminals using a well-publicized vulnerability in Android to launch an attack against users who do their online banking on their mobile devices through an app. This time, we discovered a mobile phishing attack that not only attempts to steal users’ login details, but also asks victims to upload an image file copy of their government-issued ID.
This particular phishing campaign resembles the typical scenario: it involves a spoofed website of the bank’s mobile online banking login site, with a URL that closely mimics the original banking site.
Despite the similarities, though, there are some noticeable differences, such as the support for SSL protocols. Thus, the phishing site does not have the usual security symbol nor the HTTPS:// protocol that usually identifies a secure website. There are also graphical differences between the two:
Figure 1. Legitimate site vs. spoofed page
The phishing page asks for the user’s login details – but it doesn’t stop there. After entering their login details, the user will be sent to another spoofed page that then asks for their e-mail address and password. This is presumably so that when the user tries to recover their account by changing their login details, the cybercriminals responsible will be notified and thus still be able to access the said account.
Figure 2. Phishing page asking for email credentials
Not yet satisfied with all of this stolen information, the scam goes on to lead the user to another spoofed website that then asks the user to upload a scanned image file of their government-issued ID.
Figure 3. Phishing page that asks for an image of a government ID
Assuming that the user does supply such a file, they will be asked to continue to their account via a link – but the link, of course, only leads to a dead website.
This is an unprecedented level of phishing here, as not only does the cybercriminal get access to the victim’s bank account and email account, but they also get the victim’s identification card – which could be used for all sorts of scams and fraud involving identity theft.
While phishing attacks that actually ask for scanned copies of real-world identification is new, the barter of such material isn’t. In our paper about the cybercriminal underground in Russia, Russian Underground 101, we talked about how copies of victims’ identification documents s are bartered and sold not only for profit but also for use in identity theft, with prices that range from US$2 to US$25, depending on the type of document. These documents could be identification cards, passports, to working VISAs.
Mobile phishing is on the rise. We’ve reported as much early this year, as well as how the cybercriminals dabbling in it are using the limitations inherent in the platform to carry out their deeds (such as the small screen size hiding URL discrepancies and security symbols). With smartphones being as popular as they are and being powerful enough to do most tasks we usually devote a desktop to, it’s not surprising that cybercriminals are taking advantage of the platform to nab more victims and milk them dry for personal information.
Thankfully, users can protect themselves from this kind of cybercriminal activity. Some practices the user can keep in mind:
- Bookmark frequently-visited websites. This eliminates the chance of being routed to a phishing website through typographical errors in the URL bar.
- Always verify first. Users should verify first with the institutions involved (such as their bank) whenever encountering strange and unexpected procedures in their transactions.
- Use a security solution. Security solutions immediately block phishing websites, preventing users from mistakenly accessing them.
Trend Micro users are protected from all the elements involved with this phishing threat, with the URLs of the fake website blocked.