Post Now

Credential Phishing, Banking Trojans, & Credit card Phishing in a Single Campaign

Image

Proofpoint researchers have found attackers are combining Credential phishing, banking Trojans, and credit card phishing in a single campaign to steal banking credentials.The campaign was found targeting banks in Austria which involves Marcher, an Android

Proofpoint researchers have found attackers are combining Credential phishing, banking Trojans, and credit card phishing in a single campaign to steal banking credentials.The campaign was found targeting banks in Austria which involves Marcher, an Android banking trojan distributed through a phishing campaign. According to the data published by Proofpoint, 20,000 people are already affected by this campaign.The attacks begin with a banking credential phishing scheme, then try to trick users into installing Marcher android trojan and finally using the banking trojan, tries to steal credit card information.Here in this campaign, a phishing email containing a shortened bit.ly link will be sent to the customers and when clicked will redirect to a fake website of bank Austria.Here the users are asked to log in using their account information and are redirected to another page where users are asked to enter their email id and phone number.The next step of the campaign is, using the stolen information attacker introduce a social engineering scheme where the users are asked to install  Bank Austria Security App on their smartphones.In the message, it is said that “ Due to new EU money laundering guidelines, the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system."Then the users are requested to click the URL or scan the displayed QR code present in the message to download the app.The link redirects to a page where users are given instructions on how to install the app. In the instruction, the users are asked to allow installation from unknown sources, grant extensive permissions and request to act as the device administrator. According to the post, the extensive permission requested by the fake app is given below:

  • Allows an application to write to external storage.
  • Allows an application to read from external storage.
  • Allows an application to use SIP service.
  • Allows an application to collect battery statistics
  • Allows an app to access precise location.
  • Allows an application to receive SMS messages.
  • Allows an application to send SMS messages.
  • Allows an application to read SMS messages.
  • Allows an application to write SMS messages.
  • Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
  • Allows applications to access information about networks.
  • Allows applications to open network sockets.
  • Allows an application to read the user's contacts data.
  • Allows an application to read or write the system settings.
  • Allows an application to force the device to lock
  • Allows applications to access information about Wi-Fi networks.
  • Allows applications to change Wi-Fi connectivity state.
  • Allows applications to change network connectivity state.
After the installation, the malware will place a legitimate looking icon on the home screen of the phone by using branding stolen from the bank Austria.Here in addition to operating as a banking trojan, the malware also asks credit card information when they open applications like google play store.The malware also asks information like date of birth, address, phone number, and passwords to make sure they have all the information to exploit the stolen credentials.Proofpoint researchers said that they have found campaign using similar technique targeting banking customers of Raiffeisen and Sparkasse also.
  • Allows an application to write to external storage.
  • Allows an application to read from external storage.
  • Allows an application to use SIP service.
  • Allows an application to collect battery statistics
  • Allows an app to access precise location.
  • Allows an application to receive SMS messages.
  • Allows an application to send SMS messages.
  • Allows an application to read SMS messages.
  • Allows an application to write SMS messages.
  • Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
  • Allows apptions to access information about networks.
  • Allows applications to open network sockets.
  • Allows an application to read the user's contacts data.
  • Allows an application to read or write the system settings.
  • Allows an application to force the device to lock
  • Allows applications to access information about Wi-Fi networks.
  • Allows applications to change Wi-Fi connectivity state.
  • Allows applications to change network connectivity state.
After the installation, the malware will place a legitimate looking icon on the home screen of the phone by using branding stolen from the bank Austria.Here in addition to operating as a banking trojan, the malware also asks credit card information when they open applications like google play store.The malware also asks information like date of birth, address, phone number, and passwords to make sure they have all the information to exploit the stolen credentials.Proofpoint researchers said that they have found campaign using similar technique targeting banking customers of Raiffeisen and Sparkasse also.
About the Author
[lgc_column grid="15" tablet_grid="25" mobile_grid="25" last="false"][/lgc_column][lgc_column grid="85" tablet_grid="75" mobile_grid="75" last="true" style="background-color: #ffffff ;"]Jawad Ahamed - COO & Editor in Chief-SecureReading. Cyber Security Evangelist & Follower.Although Doctor by profession,now passionately in love with Information Security.Entrepreneur, Speaker & Writer! [/lgc_column]