Nowadays, mobile banking users are easily attacked by hackers with the auto-generated SMS tool. This tool will create unique fake messages for banking users from different banks. Through this SMS-based phishing attacks, hackers will be able to obtain bank-account details of potential victims. These victims do not realize that they disclosed their bank-account access credentials when they get trapped by these SMS messages. This attack impacted mobile users located in several countries so far, which include the United States. Found victims are the clients from Chase, HSBC, TD, Scotiabank, and CIBC banks. The researcher considers this case as a warning for mobile users. In addition, the researchers had found at least 4,000 unique IP addresses of victim mobile users. Because it does not know a lot about how the attackers may have used the compromised credentials, it is hard to predict what’s the total financial loss from the attack.
According to the research, attackers spoofed the login pages of different banks and capture the credentials and other personal information of the clients. In order to make it look more authentic, attackers will even ask victims to answer the security questions in order to verify the user’s identity. Once the hackers use the auto-generated SMS tool to create fake messages that are targeting customers from different banks individually, they will spread out the text message out in mass volume. So far, there are 200 phishing pages that are imitating bank login pages found to be used in the campaign.
Recently, mobile phishing has become an attractive attack vector with the rapid development of mobile devices. As they are used frequently, it is always easier to obfuscate details of a scam. Besides, multi-factor authentication (MFA) that we used to secure our access to accounts also make SMS become a significant threat to consumers as SMS services are now used by banks to communicate with them. Therefore, customers less likely to scrutinize the messages they receive from hackers.
Contact LIFARS Immediately For
Your Cybersecurity Mitigation Plans