Banking and Finance
Asia & Pacific
- Scammers use a free form service provider with no code integration to forward victims’ PII information to a verified email.
- Using this scammers can steal banking credentials and PII.
- Stolen PII details can be used to fuel various social engineering campaigns
- Victims can be exploited financially.
- Use XVigil to actively track events and take the necessary actions.
- Educate customers about such fraudulent activities through various social media posts.
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign abusing a SaaS platform, named FormSubmit, to impersonate a popular Indian bank.
- FormSubmit is a no-code form service, designed to send input data from an HTML form straight to a specified email address.
- This campaign was uncovered while analyzing a suspect domain which was classified as a threat by XVigil on 10 November 2022.
Information from the Fake Domain
- The following information was gathered from the WHOIS records:
- Creation Date: 08 November 2022
- Updation Date: 08 November 2022
- Domain Registrar: GoDaddy
Using FormSubmit to Create a Phishing Page
FormSubmit requires no integration but a designed form for a website and it can be set up within 3 steps:
- Connecting form in the hosted website
- Include attributes in all form elements (like <input>, <select> and <textarea>) to receive the submission data
- First-time submission of the form requires a user to confirm the specified email address.
[caption id="attachment_22008" align="alignnone" width="1920"]
Screenshot of the website of FormSubmit[/caption]
Similar Phishing Campaigns
- Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
- In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
- These campaigns are usually targeted at Indian banking customers.
- Previously the following services were abused by threat actors for their campaigns:
- Reverse tunneling services offered by ngrok, TryCloudflare, LocalHostRun and more.
- Cloudflare Pages
- Hostinger’s Preview Domain
- A2 Hosting’s Services
[caption id="attachment_22009" align="alignnone" width="1412"]
Screenshot of the phishing website used by scammers to steal customers’ PII details[/caption]