Finance & Banking
- Fake Twitter accounts impersonating banking entities to extort the victim's PII & payment information via Zoho Forms.
- PII can be exploited to conduct banking frauds and other social engineering attacks.
- Identify and report fake domains.
- Create an inclusive awareness campaign for customers to educate them about the organization's processes.
Analysis and Attribution
- CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
- Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
- Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.
[caption id="attachment_20446" align="alignnone" width="804"]
Flow of the modus operandi of the scam[/caption]
- The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
- The fake account has a display name and username similar to the real account.
- Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
- A fake customer care number and a shortened URL is provided by the actor.
- The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
- Phone Number
- First and Last Name
- Credit/Debit Card No
- Expiry Date
- C Code
- Available Balance
- Once submitted, the above PII details are forwarded to the threat actor.
Information from the Tweets
Upon analyzing the fake Twitter handle, the following information was uncovered:
- The sentences used by the threat actor are professional and precisely written.
- The following contact number was shared by the fake account: 8240201899.
- OSINT performed on the number (8240201899) revealed the following:
Impact & Mitigation
- The collected PII can be used by threat actors to launch successful social engineering attacks against the victim.
- Threat actors will gain sensitive banking information which may lead to financial loss.
- Identify and report domains impersonating brand names and trademarks.
- Create an inclusive awareness campaign to educate customers about the organization’s processes.
[caption id="attachment_21578" align="aligncenter" width="797"]
Zoho forms misused by threat actors[/caption]
Note: Zoho forms have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.
[caption id="attachment_20448" align="alignnone" width="746"]
Fake twitter account impersonating - the official banking entity twitter account[/caption]
[caption id="attachment_20449" align="alignnone" width="739"]
Reply from the fake twitter account on a customer’s post[/caption]
The mobile number - 8240201899 is reported as a scam number by victims
[caption id="attachment_20452" align="alignnone" width="738"]
More reply on customer’s tweet[/caption]