Scammers Misuse FormSubmit SaaS Platform to Steal PII of Indian Banking Customers
| Category:
Adversary Intelligence |
Industry:
Banking and Finance |
Motivation:
Financial |
Region:
Asia & Pacific |
|---|
Executive Summary
| THREAT | IMPACT | MITIGATION |
|---|---|---|
|
|
|
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign abusing a SaaS platform, named FormSubmit, to impersonate a popular Indian bank.
- FormSubmit is a no-code form service, designed to send input data from an HTML form straight to a specified email address.
- This campaign was uncovered while analyzing a suspect domain which was classified as a threat by XVigil on 10 November 2022.
Information from the Fake Domain
- The following information was gathered from the WHOIS records:
- Creation Date: 08 November 2022
- Updation Date: 08 November 2022
- Domain Registrar: GoDaddy
Using FormSubmit to Create a Phishing Page
FormSubmit requires no integration but a designed form for a website and it can be set up within 3 steps:
- Connecting form in the hosted website
- Include attributes in all form elements (like <input>, <select> and <textarea>) to receive the submission data
- First-time submission of the form requires a user to confirm the specified email address.
Similar Phishing Campaigns
- Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
- In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
- These campaigns are usually targeted at Indian banking customers.
- Previously the following services were abused by threat actors for their campaigns:
- Reverse tunneling services offered by ngrok, TryCloudflare, LocalHostRun and more.
- Cloudflare Pages
- Hostinger’s Preview Domain
- A2 Hosting’s Services
References
Appendix
Tags:
No items found.