Category: Adversary Intelligence	Industry: Banking and Finance	Motivation: Financial	Region: Asia & Pacific

Executive Summary

THREAT	IMPACT	MITIGATION
Scammers use a free form service provider with no code integration to forward victims’ PII information to a verified email. Using this scammers can steal banking credentials and PII.	Stolen PII details can be used to fuel various social engineering campaigns Victims can be exploited financially.	Use XVigil to actively track events and take the necessary actions. Educate customers about such fraudulent activities through various social media posts.

Analysis and Attribution

• CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign abusing a SaaS platform, named FormSubmit, to impersonate a popular Indian bank.
• FormSubmit is a no-code form service, designed to send input data from an HTML form straight to a specified email address.
• This campaign was uncovered while analyzing a suspect domain which was classified as a threat by XVigil on 10 November 2022.

Information from the Fake Domain

• The following information was gathered from the WHOIS records:
  • Creation Date: 08 November 2022
  • Updation Date: 08 November 2022
  • Domain Registrar: GoDaddy

Using FormSubmit to Create a Phishing Page

FormSubmit requires no integration but a designed form for a website and it can be set up within 3 steps:

1. Connecting  form in the hosted website
2. Include attributes in all form elements (like <input>, <select> and <textarea>) to receive the submission data
3. First-time submission of the form requires a user to confirm the specified email address.

[caption id="attachment_22008" align="alignnone" width="1920"] Screenshot of the website of FormSubmit[/caption] Similar Phishing Campaigns

• Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
• In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
• These campaigns are usually targeted at Indian banking customers.
• Previously the following services were abused by threat actors for their campaigns:
• Reverse tunneling services  offered by ngrok, TryCloudflare, LocalHostRun and more.
• Cloudflare Pages
• Hostinger’s Preview Domain
• A2 Hosting’s Services

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_22009" align="alignnone" width="1412"] Screenshot of the phishing website used by scammers to steal customers’ PII details[/caption]