| Researchers February 14, 2020


February 14, 2020

Lookout Phishing AI provides an inside look into a phishing campaign targeting mobile banking users

By Apurva Kumar, Kristin Del Rosso

Nearly 4,000 victims fall for off-the-shelf, mobile-only phishing attack

Consumers are increasingly using mobile banking apps as their primary means to manage their finances, transfer funds, deposit checks and pay bills. In fact, 89% of survey respondents from the Business Insider Intelligence's Mobile Banking Competitive Edge Study reported they use mobile banking. Unfortunately, this trend has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector.

Heat map showing the spread of IP locations of victims of this phishing campaign. Over 3,900 unique IP addresses were captured over a seven month period.

With the increase in multi-factor authentication for many apps, including those used for mobile banking, consumers are increasingly accustomed to banks communicating using SMS messages. Since mobile users are typically on the move and less likely to scrutinize the authenticity of an SMS message, text messages have become an attractive new attack vector.

In fact, Lookout Phishing AI recently discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks. The phishing campaign, primarily spread through SMS messages, mirrors the login pages of the banks in an effort to capture the user’s banking credentials and other sensitive login information. Some of the banks affected by this phishing campaign include Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase, all of which were notified prior to publishing.

Mobile-only phishing attack

Our research indicates that this phishing campaign solely targets mobile users. The web pages are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, “Mobile Banking Security and Privacy” or “Activate Mobile Banking.”

Screenshots of fake mobile banking sites used in this campaign.

In addition, the discovery of an automated SMS tool linked to the phishing kit shows that the attacker can create a unique message, and then easily send that message out to as many phone numbers as they want, further indicating a mobile-first attack strategy.

Automated SMS sender seen across the phishing sites, enabling the actor to efficiently spread malicious links.

Many of the pages in this campaign appear legitimate through actions like taking the victim through a series of security questions, asking them to confirm their identity with a card’s expiration date or double-checking the account number.

A screenshot from one phishing page highlights the IP addresses of the devices who clicked on the link, as well as how far into the phishing campaign they went (e.g., providing no information, making it to the “date of birth” page, or fully completing the phish). In the screenshot shown, the associated phishing link received over 800 unique clicks on the provided link.

Lookout has identified over 200 phishing pages that were part of this campaign, and has notified all banks affected. As of today, the campaign is now offline. When the attack was discovered, the Lookout Phishing AI engine was able to find the victim’s IP addresses and dates on which the current deployment of the phishing kit recorded the clicks. This revealed a campaign against consumers of these banks, as well as the success of the attack, ongoing since June 2019.

How to protect against mobile phishing attacks

Customers of banks targeted by phishing campaigns are at risk of having their banking credentials stolen, which could lead to serious financial loss. However, spotting phishing attacks on mobile devices can be much more difficult than on a laptop or desktop computer. The features, functionality, and even the screen size of today’s mobile devices make it harder for a person to determine what is real versus what is fake.

If you receive a text message from your bank, do not click on it. Instead, go directly to the bank’s website or the app.

Learn how the world’s largest mobile data set protects against phishing at RSA 2020

At RSA this year, you can stop by our booth (S-1847) to go hands-on with our data to understand mobile risks. With more than 180 million devices and 100 million analyzed apps, the Lookout Security Cloud provides protection against the latest mobile phishing and app risks.

We're excited to be a part of the world's leading cybersecurity event, and we hope you can join us! That's why we're offering a FREE RSA Expo Pass that's not available to the general public.

We’ll also be presenting on our research into the highly targeted Monokle surveillanceware on February 26th -- reserve your seat today!

Find out how you can secure your smartphones and tablets today

Request A Demo call_made

Free Trial call_made

Contact Sales call_made


Author

Apurva Kumar,
Staff Security Intelligence Engineer


Author

Kristin Del Rosso,
Security Research Engineer