The McAfee Mobile Research team recently found an active smishing campaign, using SMS messages, that targets online banking users in the United States. The messages attempt to scare victims with a notice that the bank account will be soon closed and that the user must immediately click a malicious URL:
Figure 1: Phishing SMS message.
The structure of the message—with the fields “FRM” and “MSG”—is very similar to the smishing campaign that we saw at the end of July 2016 that targeted iOS users. That campaign attempted to steal Apple account credentials. Instead of using shortened URLs that allow us to track the number of clicks and the creation date of the URL, however, this campaign uses a nonfunctional URL that contains the name of the financial institution to appear less suspicious.
Fake customer identification program
Once the user clicks on that URL, it is redirected to a hacked site that appears to be the real bank’s. The page asks the user to verify identity via its fake customer identification program (CIP) and threatens to inactivate the account and refuse transactions until the identity is confirmed:
Figure 2: Fake customer identification program.
Once the user clicks “Message Received,” the next step is to enter username and password:
Figure 3: Phishing website asking for mobile banking credentials.
Cybercriminals know that a username and password are not enough to get complete access to a victim’s bank account, so they ask for additional sensitive information such as social security number, card number, and even ATM PIN. The site promises that the card will be unlocked once the information is provided:
Figure 4: Phishing web page asking additional banking and sensitive information.
Stealing the second factor of authentication
The final step in this phishing scheme is to pass through a second layer of security by asking the victim to provide a unique access code that the financial institution sends to the user via SMS when accessing certain banking services:
Figure 5: Phishing web page asking for the key to second-factor authentication.
The request for the second factor of authentication allows the cybercriminals to access the victim’s bank account. When the victim clicks on “Confirm my identity,” the access code is captured and the browser is redirected to the legitimate website of the financial institution, making the user believe that the fake CIP was completed successfully, when in fact this sensitive and banking information was only successfully stolen from the victim.
Cybercriminals know that the weakest link in the security chain is always the user, so they constantly attempt to take advantage by running smishing and other campaigns to steal as much sensitive information as possible and fraudulently access victims’ accounts. Looking at the effects of previous smishing campaigns, we see that attackers can target any type of user account as long as they can gain unauthorized access. To protect yourselves from this and similar threats, always suspect unwanted SMS messages or calls from unknown numbers, avoid clicking suspicious links, and think twice before providing sensitive and private information to anyone.