Inside Look Into Phishing Campaign Targeting Mobile Banking

‍Nearly 4,000 victims fall for off-the-shelf, mobile-only phishing attack

Consumers are increasingly using mobile banking apps as their primary means to manage their finances, transfer funds, deposit checks and pay bills. In fact, 89% of survey respondents from the Business Insider Intelligence's Mobile Banking Competitive Edge Study reported they use mobile banking. Unfortunately, this trend has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector.

‍

With the increase in multi-factor authentication for many apps, including those used for mobile banking, consumers are increasingly accustomed to banks communicating using SMS messages. Since mobile users are typically on the move and less likely to scrutinize the authenticity of an SMS message, text messages have become an attractive new attack vector.

In fact, Lookout Phishing AI recently discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks. The phishing campaign, primarily spread through SMS messages, mirrors the login pages of the banks in an effort to capture the user’s banking credentials and other sensitive login information. Some of the banks affected by this phishing campaign include Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase, all of which were notified prior to publishing.

‍

Mobile-only phishing attack

Our research indicates that this phishing campaign solely targets mobile users. The web pages are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, “Mobile Banking Security and Privacy” or “Activate Mobile Banking.”

‍

‍

In addition, the discovery of an automated SMS tool linked to the phishing kit shows that the attacker can create a unique message, and then easily send that message out to as many phone numbers as they want, further indicating a mobile-first attack strategy.                    

‍

Many of the pages in this campaign appear legitimate through actions like taking the victim through a series of security questions, asking them to confirm their identity with a card’s expiration date or double-checking the account number.

‍

‍

Lookout has identified over 200 phishing pages that were part of this campaign, and has notified all banks affected. As of today, the campaign is now offline. When the attack was discovered, the Lookout Phishing AI engine was able to find the victim’s IP addresses and dates on which the current deployment of the phishing kit recorded the clicks. This revealed a campaign against consumers of these banks, as well as the success of the attack, ongoing since June 2019.      

‍

How to protect against mobile phishing attacks

Customers of banks targeted by phishing campaigns are at risk of having their banking credentials stolen, which could lead to serious financial loss. However, spotting phishing attacks on mobile devices can be much more difficult than on a laptop or desktop computer. The features, functionality, and even the screen size of today’s mobile devices make it harder for a person to determine what is real versus what is fake.

If you receive a text message from your bank, do not click on it. Instead, go directly to the bank’s website or the app.