|Category: Adversary Intelligence||Industry: Finance & Banking||Motivation: Finance||Region: India||Source*: A1|
- CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
- Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
- Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.
- The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
- The fake account has a display name and username similar to the real account.
- Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
- A fake customer care number and a shortened URL is provided by the actor.
- The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
- Phone Number
- First and Last Name
- Credit/Debit Card No
- Expiry Date
- Available Balance
- Once submitted, the above PII details are forwarded to the threat actor.
- The sentences used by the threat actor are professional and precisely written.
- The following contact number was shared by the fake account: 8240201899.
- OSINT performed on the number (8240201899) revealed the following:
- It was associated with the Electricity Board bill payment scam uncovered by CloudSEK.
- Several victims have reported the number. (For more information refer to the Appendix)
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Scammers Impersonate Electricity Board Officials to Gain Device Access & Exfiltrate Funds