ESET, a leading company in proactive threat detection, identified a phishing campaign aimed at mobile users that targeted bank customers. This novel criminal technique installs a phishing application from a third-party website without the user having to allow the installation of applications, it affects both iOS and Android users. Most of the cases known at the moment have occurred in the Czech Republic, and applications were directed to the Hungarian bank OTP Bank and the Georgian bank TBC Bank.

The ESET research team identified a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms: automated voice calls, SMS messages, and social media malvertising.

Voice call delivery was done via an automated call that warned the user about an outdated banking application and asked them to select an option on the keypad. After pressing the correct button, a phishing URL was sent via SMS.

The initial approach by SMS was carried out by indiscriminately sending messages to Czech telephone numbers. The message sent included a phishing link and a text for victims to perform social engineering and visit the link.

The spread through malicious ads was done by registering ads on Meta platforms such as Instagram and Facebook. These ads included a call to action, such as a limited offer for users to “download an update below.” This technique allowed threat actors to specify the target audience by age, gender, etc. The ads then appeared on the victims’ social networks.

After opening the URL delivered in the first stage, Android victims were faced with a high-quality phishing page that imitated the official Google Play Store page for the targeted banking app, or an imitation website of the app.

From there, victims are asked to install a “new version” of the banking app. Depending on the campaign, clicking the install/update button initiates the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (Android users only), or as a Progressive Web App (PWA) for iOS and Android users. The highlight of this instance is that it bypasses traditional browser warnings to “install unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is abused by attackers.

The process is a little different for iOS users, as an animated pop-up tells victims how to add the phishing PWA to their home screen. The popup copies the look of native iOS messages. In the end, iOS users are not warned about adding a potentially harmful app to their phone.

Upon installation, victims are asked to enter their internet banking credentials to access their account through the new mobile banking application. All information provided is sent to the attackers’ C&C servers.

The malicious ads included a mashup of the bank’s official mascot (blue chameleon), as well as bank logos and text promising a financial reward for installing the app or warning users that a critical update had been released.

All stolen login information was recorded through a backend server, which then sent the banking login details entered by the user to a Telegram group chat. HTTP calls to send messages to the threat actor’s group chat were made through the official Telegram API. As mentioned by ESET: this technique is not new and is used in several phishing kits.

Warning

“Because two drastically different C&C infrastructures were used, we have determined that two different groups are responsible for the spread of phishing applications. More imitation apps will surely be created, since after installation it is difficult to separate legitimate apps from phishing ones. All sensitive information found during our investigation was quickly sent to the affected banks for processing. We also coordinate the dismantling of multiple phishing domains and C&C servers,” says Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Laboratory.

Contact coordinates with ESET in Venezuela: https://www.eset.com/ve/. Also, their social networks: Instagram @esetla) and Facebook: (ESET).

With information and reference image provided by ESET and Comstat Rowland

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram

La entrada Malicious banking applications: New phishing against Android and iOS users apareció primero en Bitfinance.

Facebook, YouTube and Instagram have become platforms that literally catapulted certain people to stardom, granting them the accolade or recognition of “Influencers.” The number of followers they garner and the money that moves around them is such that cybercriminals have focused their sights on them, implementing strategies and deceptions that allow them to obtain their own financial gain. ESET, a leading company in proactive threat detection, warns that it analyzes the most frequent tactics used by cyberattackers to access money and how influencers can be better protected.

The global influencer marketing market, which in 2022 was valued at $33.2 billion, will continue to grow exponentially. In fact, it is expected that by 2032 it will reach 200 billion dollars. In turn, according to the HubSpot site, there are several categories of influencers depending on the number of followers and depending on this (among other factors) “a nano influencer earns between 10 and 100 USD, a micro between 100 and 500 USD, and a macro between 5000 and 10,000 USD per publication.” These figures served as bait for cybercriminals to begin looking for (and implementing) strategies to obtain financial gain. In practice, they were tempted and motivated to do so.

Social engineering is one of the favorite tools of cyberattackers to harm influencers, who often do not have the resources or knowledge with which companies usually protect themselves.

ESET shares some examples of related scams, thefts and deceptions

The Fake Podcast: Hannah Shaw is popularly known on social media as the “Cat Lady”; His pseudonym is due to the fact that in his videos he teaches people what proper care for newborn cats is. Thanks to his followers (more than one million), he raised significant amounts to help rescue these animals and shelters. Seeing Shaw’s popularity as a source of financial gain and thanks to a social engineering technique, cybercriminals managed to take over his Meta business account.

They did this by pretending to be hosts of a podcast. In advance and to coordinate the details of the interview, the malicious actors invited the victim to a Zoom call. There, they asked Shaw for access to the Facebook Live settings with the excuse of generating income and she agreed, thinking it was a normal part of the process. At that time, the cyber attackers took control of the account as Administrator, leaving the page clean to replace them with fake links that actually directed to sites to generate quick and easy income with advertising.

Ambassadors, but of the scam: The “Finfluencers” are a subgroup of influencers dedicated especially to the finance industry. In their accounts, they provide economic advice, advice and tips to their large number of followers so that they can get rich quickly, invest in stocks or cryptocurrencies and implement financial planning. In this case, cybercriminals (and also using social engineering to achieve their goal), offered a false job opportunity for finfluencers to become ambassadors of a brand and promote the brand’s products.

The truth is that the final objective of the attackers was to obtain the personal and financial information of their victims. With the excuse of needing this data to make payment for the supposed work, what they did once they obtained that information was to empty their bank accounts until they took control of their social networks.

Malware always present: Other influencers have been attacked with malware, either by downloading a malicious file or clicking on an apocryphal link. Thus, cyberattackers can very easily take control of accounts and manage them. They achieve this by publishing content that has nothing to do with what the influencer normally shares, deleting all the content that was available, and even changing the logo and name of the accounts. It is also common for malicious actors to ask for exorbitant sums of money so that the victim can recover their social networks.

Identity theft with suspension included: Another technique that became known through complaints and investigation, specifically on Instagram, consists of cyberattackers duplicating the influencer’s original account and requesting its suspension. To do this, they either acquire a verified account, change the user’s biography and image, and then file a report alleging that the victim is actually impersonating them. Another option is to carry out a “spam attack” against the account, reporting it, either for showing nudity images or violating copyright. When the attacker manages to have the account suspended, he contacts the victim to offer to unlock the account as long as he pays an amount of money for said ransom.

Followers, also in the crosshairs: Identity theft is another of the techniques used in the field of social networks, but in this case the victims are the followers. It is normal for influencers to launch giveaways, which generate a high level of interaction. This is where cybercriminals come into play, creating a duplicate account that pretends to be the original, and from there contacts users informing them that they have been winners of a raffle. The goal is to access the personal and financial information of their victims.

Influencers can protect themselves by taking actions to avoid being another victim of the deceptions of cyberattackers

ESET shares some good practices to keep in mind:

• Be distrustful as a first measure, if a job offer or business possibility seems too good to be true, it probably is.
• Do not provide personal or financial information without confirming that there is a real and true possibility on the other side. Good research is your best ally, as is contacting the company to confirm the offer.
• Do not let any person, company or application post on your social networks.
• Use unique, strong, long and secure passwords (with capital letters, special characters and numbers) on all accounts, and change them periodically.
• Pay attention and analyze carefully and carefully before clicking on any link that arrives unexpectedly.
• Lastly and always very important, have a security solution that provides comprehensive protection while consuming fewer resources.

In summary, ESET recommends, for everything mentioned above, that it is necessary to adopt good security practices, pay attention to signs that an offer may be a scam, and inform yourself about the methodologies that cybercriminals use to perpetrate their attacks. As well as listening to Conexión Segura, your podcast with timely verified information to know what is happening in the world of computer security, at: https://open.spotify.com/show/0Q32tisjNy7eCYwUNHphcw.

With information and image provided by ESET Latin America and Comstat Rowland Comprehensive Strategic Communications

(Reference image: ESET Latin America and Comstat Rowland)

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram

La entrada Influencers under cyberattack: Ways to protect themselves and good practices to consider apareció primero en Bitfinance.