Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io

Summary

Portmap.io was misused in a phishing campaign targeting Indian banking customers. Phishing URLs are distributed via smishing techniques.
Category: Adversary Intelligence Industry: Banking and Finance Motivation: Financial Region: Asia & Pacific Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Portmap.io misused in phishing campaign targeting Indian banking customers.
  • Phishing URLs distributed via smishing techniques.
  • Registered banking users are prompted to provide their PII.
  • PII collected can be sold on the dark web or to create fake bank accounts.
  • Many phishing links are not present on the internet, making it difficult to classify before the campaign launches on a scale.
  • Loss of trust in banks impersonated by the sites.
  • Real-time scans to identify phishing domains by name, trademarks, and images.
  • User awareness campaigns regarding malicious URLs.
  • Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.

Analysis of the Phishing Campaign

  • CloudSEK’s contextual AI digital risk platform XVigil, uncovered another phishing campaign targeting Indian banking customers via a reverse tunnel service, portmap.io.
  • The campaign was improvised and has a low detection rate.
  • Scammers are adopting new SaaS services which provide low code to zero code deployment of phishing websites such as portmap.io.
Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Modus Operandi

  • Portmap is essentially a port forwarding service that allows threat actors to turn their local system into a web server that can be accessed via the internet without a real IP address.
  • Using Portmap’s FREE PLAN, scammers sign up for the service, create a configuration for a free OpenVPN tunnel, and set up the rules to connect with the local machine.
  • Once the OpenVPN configuration file is run on the local machine, it starts acting as a web server for the phishing website and the scammers get a phishing URL that looks like one of the following:
    • <targeted-entity-name>.protmap.io:<random-port-number>
    • <targeted-entity-name>.protmap.host:<random-port-number>
  • The shareable phishing URL is then distributed via SMS to banking customers to create a panic situation.
  • Before being distributed, these phishing URLs are occasionally disguised using URL shorteners.

Information from Open Source

  • Upon further investigation, CloudSEK's research team discovered Tweets from a victim of one such scam, who is a customer of one of India's famous banks with a large customer base.
Tweet from the customer complaining about a phishing website
Tweet from the customer complaining about a phishing website

Impact & Mitigation

Impact Mitigation
  • Data collected from phishing sites can be sold on the dark web.
  • Collected PII can also be used to create fake bank accounts and cards.
  • Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a large scale.
  • Loss of trust in banks impersonated by the sites.
  • Real-time scans to identify phishing domains, not just by the name, but also by trademarks and images.
  • Awareness among customers regarding malicious URLs.
  • Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.

References

Also Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Appendix

Plans for portmap.io
Plans for portmap.io
 
Phishing Website asking for Internet Banking Details
Phishing Website asking for Internet Banking Details
 

Table of Contents

Request an easy and customized demo for free