New Banking Phishing Campaign Targets Mobile Users in Czechia, Hungary, and Georgia

• A novel phishing campaign leverages Progressive Web Applications to steal mobile users' financial credentials.
• The hackers target mobile users in Czechia, Hungary, and Georgia with phishing apps impersonating legitimate banks.
• Fake websites push these malicious apps, which collect and exfiltrate banking credentials once installed and used.

A novel phishing campaign aiming to steal banking account credentials targeted the mobile users of banking entities like the Czech-based Československá obchodní banka (CSOB), the OTP Bank in Hungary, and a Georgian Bank, according to a report from cybersecurity company ESET.

The campaign included creating phishing sites with fake iOS and Android apps that successfully mimic a Google Play Store listing, real banking apps, or a fake duplicate site for the app, distributed via automated voice calls, SMS messages, and social media malvertising on Facebook and Instagram.

Voice calls and SMS messages rely on a warning that urges users to follow the hackers’ instructions, which include sending a phishing URL to the potential victim.

The malicious platforms persuade iOS victims to add a Progressive Web Application (PWA) to their home screens. They ask Android users to confirm custom pop-ups in the browser to install the PWA, sometimes even WebAPKs from a third-party site, without allowing sideloading or a warning.

Once the victims install the PWA, the banking credentials they enter in the app are exfiltrated via an attacker-controlled C2 server or a Telegram group chat.

The report says the campaigns’ command and control (C2) servers and the backend infrastructure reveal these are operated by two threat actors.

Recently, a phishing site masquerading as an official ‘Google Safety Centre’ page deployed malware like Latrodectus and ACR Stealer while pretending to let users download the trusted multi-factor authentication (MFA) app Google Authenticator. Simultaneously, a fake ad for Authenticator appeared among Google search results, and the advertiser’s identity was even verified by Google.