Fake Twitter accounts impersonating banking entities to extort the victim’s PII & payment information via Zoho Forms.
PII can be exploited to conduct banking frauds and other social engineering attacks.
Identify and report fake domains.
Create an inclusive awareness campaign for customers to educate them about the organization’s processes.
Analysis and Attribution
CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.
Flow of the modus operandi of the scam
Modus Operandi
The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
The fake account has a display name and username similar to the real account.
Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
A fake customer care number and a shortened URL is provided by the actor.
The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
Phone Number
First and Last Name
Credit/Debit Card No
Expiry Date
C Code
Available Balance
Once submitted, the above PII details are forwarded to the threat actor.
Information from the Tweets
Upon analyzing the fake Twitter handle, the following information was uncovered:
The sentences used by the threat actor are professional and precisely written.
The following contact number was shared by the fake account: 8240201899.
OSINT performed on the number (8240201899) revealed the following: