Bank phishing & 2FA bypass

Bank phishing is a form of online fraud in which cybercriminals send fake emails or messages that appear to be from a legitimate banking institution. The purpose of these messages is to trick recipients into revealing sensitive information such as bank account numbers, passwords, PINs or other personal data. These emails or messages may contain links to fake websites that mimic the look and functionality of real banking websites to convince victims to enter their confidential information. Once this information is obtained, criminals can use it to illegally access victims’ bank accounts or for other fraudulent activities.

Official website - OTP Bank | https://www.otpdirekt.ro/

The fake page is a perfect clone of the official OTP Bank page, which can mislead users who are directed to it, especially if there is not a minimum of cyber education and attention to detail, especially since we are talking about updating bank information, even if it is false!

Fake page - OTP Bank | https://liberta-isha.......

Japan servers compromised and about 380 administrators unaware of the attackers’ presence in their infrastructure.

www5172.sakura.ne..jp – 124 users
www3781.sakura.ne..jp – 132 users
www3884.sakura.ne..jp – 133 users

Each user may have X number of pages they manage and can only understand their malicious exploitation after an audit and security configurations on the server or managed pages. Or, there is the possibility that only some of them are active and manage web pages.

The limited time and the impossibility to audit the respective servers allowed the identification of 4 compromised domains running bank phishing campaigns and (unwittingly) supporting the transmission of banking and personal information to criminals.

The identified campaigns use 2 ways of sending the data collected from the user to the #target #targeting.

Connecting the fake page to a Telegram bot and receiving information in the form of messages
Saving bank and personal information on the compromised server in a text file

The two configurations ensure that user information is saved. Even if access to the page is restricted, the perpetrator has access to all compromised data.

Hmm… if there is a possibility to change the parameters of the two “define” lines from 1 to 0, the criminals will no longer get the victim data. What would you do?!? :)

Information received from users who end up on fake pages includes the following:

Name, first name
Assigned IP and browser
Bank ID and password
Personal number code
Phone number
Bank card number, expiry date and code
… in addition there is the code received by SMS for double authentication.

2FA – Dual authentication is a security plus when it comes to securing the accounts we use, but it has become a definite necessity due to the frequency with which login information for different platforms or apps is stolen. This added security is useless if we as users give the security codes to strangers at their request…

The bank phishing campaign includes obtaining this security code that the bank customer receives via SMS. And to achieve this, the user is informed that he is going to receive this code, although he is on a fake page, because with the data previously provided the attacker will try to access the bank account and the banking application will ask for the code sent by the bank’s servers.

The victim receives that SMS and writes it in the fake page, and the criminal copies it and sends it to the bank… so he has done the double authentication with the help of the victim, who doesn’t realise that someone is brokering this whole authentication process. After this stage, the offender is authenticated on the banking platform and can act at will.

I’m sure the information included in the article is interesting, but much of it is not public, but obtained from the investigation of the cyber attack.

We will address 2 methods of obtaining information:

Auditing/testing the fake pages and involving the whole process, from the first access to the completion of the phishing and most likely directing the victim to the bank’s official page. The major problem in this case is that we need the written approval of the offender (joke… ha ha.) or as the case may be the rightful owner of the server. So this can only be done by legal means or…
OSINT – Obtaining information through apps, search engines or whatever else comes to mind for the specialist investigating the attack.

In our case… OSINT, experience and imagination. Through these, the files used in the phishing attack on OTP Bank Romania were identified and after a thorough analysis, the files on the compromised server were identified.

Files containing information about configurations, APIs, IDs, visitors, victims and phishing results.

The cyber attacker aka the hacker/criminal can be anyone, of any nationality and with a not necessarily high level of technical training, as the Internet offers many ready-made things, and it is enough to download them and adapt them to what they are going to do or buy them ready-made and just send them to potential victims.

Email addresses are everywhere, it is true that being legal you are not allowed to use them for marketing without the consent of the owner (natural person), but criminals can use them without problems for illegal activities (phishing, malware, fraud…).

Compromised servers/websites can be found for purchase, free download or if the necessary capabilities exist can be compromised by hacking(blah blah…) or via…. Phishiiiing.

The person behind the analyzed attack, after setting up the phishing campaign, had to test your “creation” and on the 3 analyzed pages he left:

5 IPs … Tangier & Casablanca – Morocco.
41.xxx.xx.xx9, 41.xxx.xxx.xx6, 105.xxx.xx.x1,105.xxx.xxx.xx2, 196.xx.xxx.xxx
3 devices
– Google Chrome version 120.0.0.0, running on a Windows 10 system with a 64-bit
– Mozilla Firefox version 121.0, running on a Windows 10 system with a 64-bit
– Safari browser, version 17.2, running on an iPhone with iOS version 17.2.1

Due to the distance between the two locations, possibly different people, different operators or use of wireless and mobile data.

Authorities investigating criminal activities can surely find more details, thanks to resources (experience – time – funding) and with some sustained effort with collaboration between states… maybe something can come out.

The source code of the fake page is quite well crafted, but what we are interested in is understanding its functionality and the cyber attacker’s purpose. By analysing the code we can understand what data is stored from the first interaction with the fake user page to the final stage where the user becomes a victim.

cybercrime investigation officer analyzing a cyber attack

Authorities dealing with this type of investigation need enough specialists in the field because cybercrime has reached quite high levels and is constantly increasing. Specialists are not just for NOW. Current and new staff need continuous training to face future challenges. Financial fraud, identity theft, cyber extortion and more will outnumber current crimes…

Another aspect is fighting these crimes through the promotion of solved cases, where some will pay and others will think twice about carrying out criminal activities.

But to achieve this, specialists need to be equipped with advanced technology, automated systems and continuous improvement of knowledge.

bank customer engaging with a cyber-secure mobile banking application

Financial institutions need to understand that bank phishing is one of the most widely used methods of gaining access to customer accounts. 2FA (Double Authentication) and MFA (Multiple Authentication) are effective as long as the user, the bank customer knows what he is doing, knows what the dangers are, knows how to identify a cyber attack.

Cyber education is a shared responsibility! This means that everyone who can, knows, has the time must get involved somehow. In the case of financial institutions and beyond, customers need to be educated before they have access to a bank card or online account. A large proportion of technology and Internet users only know how to “finger slide”, and when asked by criminals to “update” their data they do not think about the dangers or the fact that their savings will disappear…. The only concern for users is to prove that they did everything themselves and that they sent all the data…

Education >> Bank card
Education >> Online account

Fewer complaints, nice and satisfied customers…