Zoho Form Service Leveraged to Exfiltrate Sensitive PII from Banking Customers

 

Category: Adversary Intelligence	Industry: Finance & Banking	Motivation: Finance	Region: India	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Fake Twitter accounts impersonating banking entities to extort the victim’s PII & payment information via Zoho Forms.	PII can be exploited to conduct banking frauds and other social engineering attacks.	Identify and report fake domains. Create an inclusive awareness campaign for customers to educate them about the organization’s processes.

Analysis and Attribution

• CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
• Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
• Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.

 

Modus Operandi

• The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
• The fake account has a display name and username similar to the real account.
• Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
• A fake customer care number and a shortened URL is provided by the actor.
• The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
  • Phone Number
  • First and Last Name
  • Credit/Debit Card No
  • Expiry Date
  • C Code
  • Available Balance
• Once submitted, the above PII details are forwarded to the threat actor.

 

Information from the Tweets

Upon analyzing the fake Twitter handle, the following information was uncovered:

• The sentences used by the threat actor are professional and precisely written.
• The following contact number was shared by the fake account: 8240201899.
• OSINT performed on the number (8240201899) revealed the following:
  • It was associated with the Electricity Board bill payment scam uncovered by CloudSEK.
  • Several victims have reported the number. (For more information refer to the Appendix)

Impact & Mitigation

Impact	Mitigation
The collected PII can be used by threat actors to launch successful social engineering attacks against the victim. Threat actors will gain sensitive banking information which may lead to financial loss.	Identify and report domains impersonating brand names and trademarks. Create an inclusive awareness campaign to educate customers about the organization’s processes.

References

• *Intelligence source and information reliability – Wikipedia
• ^#Traffic Light Protocol – Wikipedia
• Scammers Impersonate Electricity Board Officials to Gain Device Access & Exfiltrate Funds

Appendix

Note: Zoho forms have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.

 

 

The mobile number – 8240201899 is reported as a scam number by victims