With the rise in mobile banking coupled with a lack of awareness about new cybersecurity threats among consumers, cybercriminals are utilizing novel phishing techniques to gather sensitive information. Examples of such information include internet banking passwords, mobile numbers, and OTPs from mobile banking users.
Users’ smartphones are being infected with information stealer malware to compromise the OTP-based two-factor authentication after the account takeover to carry out fraudulent transactions.
Cyble Research Labs encountered one such phishing campaign targeting customers of a major bank in India. Through this campaign, the fraudsters have managed to deceive their victims into providing their sensitive account information. This includes Account Numbers, Net-banking User ID, login passwords, transaction passwords, ATM PIN, and other Credit/Debit Card details, along with the transaction OTP, which could be used to carry out fraudulent transactions.
The fraudster has incorporated an SMS stealer in their phishing campaign to execute this particular scam, which steals all the incoming SMS messages that contain banking attributes such as Two Factor Authentication (2FA). After successfully compromising the victim, the fraudster then sends these details to a Command & Control (C&C) server.
As a part of this investigative hunt, Cyber Research Labs analyzed the fraudster’s phishing website and identified the stealer malware used to compromise the victims’ mobile phones.
Post analysis, Cyble was also able to map the cyber criminal’s activities and evidence the stolen data stored in the attacker’s infrastructure. The in-depth analysis of the phishing campaign targeting Indian banking users is covered in this article.
Technical Analysis
The fraudster has impersonated the landing page of the bank’s customer support/ complaints portal. This page acts as a phishing site that asks the victims looking for assistance to enter their basic bank information, such as their name and the phone number associated with their bank account.
Figure 1 displays the starting page of the phishing campaign.
Below we have outlined the process flow of the campaign.
Stage1: Harvesting Victim Credentials
When a victim lands on the phishing website, he is prompted to enter sensitive financial information on various pages, as part of the complaint registration process. The following details are acquired at this stage:
- Account Holder Name and the Registered Mobile Number.
- Refund Mode Selection (Account Number / Net-Banking / Credit or Debit Card)
- For Account Number Mode: Account Number, IFSC Code, CIF No.
- For Net-Banking Mode: User ID, Password and Transaction Password
- For Credit or Debit Card Mode: Card details such as Credit/Debit Card Number, Expiry Date, PIN
The victim is also prompted to enter the ATM PIN/Password for verification. The process flow of the webpage is given below.
Stage 2: Infecting the Victim’s Device
Once the victim provides personal data, the phishing website initiates the download of an APK file named ***_Compliant.apk. This app masqueradesas the bank’s official app, tricking the victim into installing it on his/her device to track their complaint(s).
The phishing and infection workflow is shown in the figure below.
Stage 3: Bypass 2FA
Once the Threat Actor (TA) initiates the fraudulent transaction by logging into the victim’s account, the bank would send an OTP to the victim’s device. This will occur regardless of whether the TA initiates the transaction via Net banking, Credit/Debit card, or Bank Account transfer.
The fraudster has incorporated two techniques to steal the SMS-based OTP received from the bank –
- The victim is presented with a page where they can input the OTP manually.
- Exfiltrating all the SMSs from the victim with the help of the SMS stealer app posing as the bank’s official Complaint tracking app (as discussed in Stage 2).
The fake page used to enter OTP manually is shown below.
Analysis of the SMS Stealer
The application uses the icon of the official banking app. The below figure depicts the file information of the APK.
The malware requests for multiple dangerous permissions such as READ_SMS, RECEIVE_SMS, SEND_SMS, and READ_PHONE_STATE. Once the victim grants these permissions, the SMS Stealer reads and collects the SMS messages on the victim’s device.
Additionally, the malicious app has registered a listener to monitor SMSs received on the device constantly and then upload them to a C&C server (C&C URL: hxxps://onlinerexxxxuery[.]com/api).
The code used in the listener to receive the SMS and upload it is shown below.
The SMS stealer also boots up without any user interaction for every device reboot.
The cybercriminal has hosted the C&C server on a known web hosting service. Cyble Research Labs team analyzed the fraudster’s infrastructure and was able to identify the affected victims and their data.
The identified phishing campaign was active during our analysis, but the website has currently been taken down.
Figure 8 shows the subset of personal information gathered from the compromised devices available on the TA’s infrastructure.
The SMS details, along with the make and model of the compromised device, are also stored on the C&C server database, as shown below.
Probable Vector
Based on this analysis, we have found similarities between this campaign and another campaign targeting a major bank in India. We observed the TA behind that campaign using a Smishing technique to bait customers. Hence, we suspect that the initial vector used to launch this Phishing campaign could also be Smishing.
Conclusion
Threat Actors constantly adapt their approaches to avoid detection and find new ways to target users using sophisticated methods. Malicious software is frequently disguised as legitimate software to trick users into installing it.
We recommend that banking entities develop prudent security approaches to secure customers’ assets as our analysis clearly indicates that SMS based 2FA is not secure enough.
Banks should also educate their users on safe net banking procedures. Additionally, companies should also educate their consumers to only install apps from official app stores such as Google Play Store after verifying their validity.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store & Apple App Store
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- If you find this malicious application on your device, uninstall, or delete it immediately.
- Use the shared IOCs to monitor and block malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your devices, operating systems, and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Collection | T1412 | Capture SMS Messages |
| Defense Evasion | T1444 | Masquerade as Legitimate Application |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Discovery | T1418 | Application Discovery |
| Impact | T1582 | SMS Control |
If you are interested in a detailed list of IOCs, please reach out at contact@cyble.com.
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
