A novel phishing campaign aiming to steal banking account credentials targeted the mobile users of banking entities like the Czech-based Československá obchodnà banka (CSOB), the OTP Bank in Hungary, and a Georgian Bank, according to a report from cybersecurity company ESET.
The campaign included creating phishing sites with fake iOS and Android apps that successfully mimic a Google Play Store listing, real banking apps, or a fake duplicate site for the app, distributed via automated voice calls, SMS messages, and social media malvertising on Facebook and Instagram.
Voice calls and SMS messages rely on a warning that urges users to follow the hackers’ instructions, which include sending a phishing URL to the potential victim.
The malicious platforms persuade iOS victims to add a Progressive Web Application (PWA) to their home screens. They ask Android users to confirm custom pop-ups in the browser to install the PWA, sometimes even WebAPKs from a third-party site, without allowing sideloading or a warning.
Once the victims install the PWA, the banking credentials they enter in the app are exfiltrated via an attacker-controlled C2 server or a Telegram group chat.
The report says the campaigns’ command and control (C2) servers and the backend infrastructure reveal these are operated by two threat actors.
Recently, a phishing site masquerading as an official ‘Google Safety Centre’ page deployed malware like Latrodectus and ACR Stealer while pretending to let users download the trusted multi-factor authentication (MFA) app Google Authenticator. Simultaneously, a fake ad for Authenticator appeared among Google search results, and the advertiser’s identity was even verified by Google.