Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io

Portmap.io was misused in a phishing campaign targeting Indian banking customers. Phishing URLs are distributed via smishing techniques.
Updated on
February 27, 2023
Published on
September 30, 2022
Read time
5
Subscribe to the latest industry news, technologies and resources.
Category: Adversary Intelligence Industry: Banking and Finance Motivation: Financial Region: Asia & Pacific Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Portmap.io misused in phishing campaign targeting Indian banking customers.
  • Phishing URLs distributed via smishing techniques.
  • Registered banking users are prompted to provide their PII.
  • PII collected can be sold on the dark web or to create fake bank accounts.
  • Many phishing links are not present on the internet, making it difficult to classify before the campaign launches on a scale.
  • Loss of trust in banks impersonated by the sites.
  • Real-time scans to identify phishing domains by name, trademarks, and images.
  • User awareness campaigns regarding malicious URLs.
  • Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.

Analysis of the Phishing Campaign

  • CloudSEK’s contextual AI digital risk platform XVigil, uncovered another phishing campaign targeting Indian banking customers via a reverse tunnel service, portmap.io.
  • The campaign was improvised and has a low detection rate.
  • Scammers are adopting new SaaS services which provide low code to zero code deployment of phishing websites such as portmap.io.
Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Modus Operandi

  • Portmap is essentially a port forwarding service that allows threat actors to turn their local system into a web server that can be accessed via the internet without a real IP address.
  • Using Portmap’s FREE PLAN, scammers sign up for the service, create a configuration for a free OpenVPN tunnel, and set up the rules to connect with the local machine.
  • Once the OpenVPN configuration file is run on the local machine, it starts acting as a web server for the phishing website and the scammers get a phishing URL that looks like one of the following:
    • <targeted-entity-name>.protmap.io:<random-port-number>
    • <targeted-entity-name>.protmap.host:<random-port-number>
  • The shareable phishing URL is then distributed via SMS to banking customers to create a panic situation.
  • Before being distributed, these phishing URLs are occasionally disguised using URL shorteners.

Information from Open Source

  • Upon further investigation, CloudSEK's research team discovered Tweets from a victim of one such scam, who is a customer of one of India's famous banks with a large customer base.
[caption id="attachment_20900" align="alignnone" width="605"]Tweet from the customer complaining about a phishing website Tweet from the customer complaining about a phishing website[/caption]

Impact & Mitigation

Impact Mitigation
  • Data collected from phishing sites can be sold on the dark web.
  • Collected PII can also be used to create fake bank accounts and cards.
  • Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a large scale.
  • Loss of trust in banks impersonated by the sites.
  • Real-time scans to identify phishing domains, not just by the name, but also by trademarks and images.
  • Awareness among customers regarding malicious URLs.
  • Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.

References

Also Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Appendix

[caption id="attachment_20901" align="alignnone" width="1081"]Plans for portmap.io Plans for portmap.io[/caption]   [caption id="attachment_20902" align="alignnone" width="439"]Phishing Website asking for Internet Banking Details Phishing Website asking for Internet Banking Details[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.