February 14, 2020

Inside Look Into Phishing Campaign Targeting Mobile Banking

A series of phishing attacks targeting banks surround a smartphone

Nearly 4,000 victims fall for off-the-shelf, mobile-only phishing attack

Consumers are increasingly using mobile banking apps as their primary means to manage their finances, transfer funds, deposit checks and pay bills. In fact, 89% of survey respondents from the Business Insider Intelligence's Mobile Banking Competitive Edge Study reported they use mobile banking. Unfortunately, this trend has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector.

            

Heat map showing the spread of IP locations of victims of this phishing campaign. Over 3,900 unique IP addresses were captured over a seven month period.

With the increase in multi-factor authentication for many apps, including those used for mobile banking, consumers are increasingly accustomed to banks communicating using SMS messages. Since mobile users are typically on the move and less likely to scrutinize the authenticity of an SMS message, text messages have become an attractive new attack vector.

In fact, Lookout Phishing AI recently discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks. The phishing campaign, primarily spread through SMS messages, mirrors the login pages of the banks in an effort to capture the user’s banking credentials and other sensitive login information. Some of the banks affected by this phishing campaign include Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase, all of which were notified prior to publishing.

Mobile-only phishing attack

Our research indicates that this phishing campaign solely targets mobile users. The web pages are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, “Mobile Banking Security and Privacy” or “Activate Mobile Banking.”

Screenshots of fake mobile banking sites used in this campaign.

In addition, the discovery of an automated SMS tool linked to the phishing kit shows that the attacker can create a unique message, and then easily send that message out to as many phone numbers as they want, further indicating a mobile-first attack strategy.                    

               

Automated SMS sender seen across the phishing sites, enabling the actor to efficiently spread malicious links.

Many of the pages in this campaign appear legitimate through actions like taking the victim through a series of security questions, asking them to confirm their identity with a card’s expiration date or double-checking the account number.


Screenshots of fake mobile banking sites used in this campaign.

Lookout has identified over 200 phishing pages that were part of this campaign, and has notified all banks affected. As of today, the campaign is now offline. When the attack was discovered, the Lookout Phishing AI engine was able to find the victim’s IP addresses and dates on which the current deployment of the phishing kit recorded the clicks. This revealed a campaign against consumers of these banks, as well as the success of the attack, ongoing since June 2019.      

             

           

How to protect against mobile phishing attacks

Customers of banks targeted by phishing campaigns are at risk of having their banking credentials stolen, which could lead to serious financial loss. However, spotting phishing attacks on mobile devices can be much more difficult than on a laptop or desktop computer. The features, functionality, and even the screen size of today’s mobile devices make it harder for a person to determine what is real versus what is fake.

If you receive a text message from your bank, do not click on it. Instead, go directly to the bank’s website or the app.

Authors

Apurva Kumar

Former Security Intelligence Engineer

Apurva Kumar was a Security Intelligence Engineer at Lookout between 2017 and 2021.

Kristin Del Rosso

Security Research Engineer

Kristin Del Rosso is a security researcher with a primary focus on reverse engineering Android applications. She works with her team to uncover new mobile threats, track actors and targets, and provide accurate research and reporting on these issues. She has spoken at BlackHat EU and NSEC on state-sponsored malware campaigns, and volunteers with Day of Shecurity, an organization aimed at tackling the gender diversity issue in cybersecurity.

Threat Type
Phishing
Threat Type
Crimeware
Entry Type
Threat Summary
Platform(s) Affected
Phishing
Crimeware
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell