Category: Adversary Intelligence	Industry: Banking and Finance	Motivation: Financial	Region: Asia & Pacific	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Portmap.io misused in phishing campaign targeting Indian banking customers. Phishing URLs distributed via smishing techniques. Registered banking users are prompted to provide their PII.	PII collected can be sold on the dark web or to create fake bank accounts. Many phishing links are not present on the internet, making it difficult to classify before the campaign launches on a scale. Loss of trust in banks impersonated by the sites.	Real-time scans to identify phishing domains by name, trademarks, and images. User awareness campaigns regarding malicious URLs. Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.

Analysis of the Phishing Campaign

• CloudSEK’s contextual AI digital risk platform XVigil, uncovered another phishing campaign targeting Indian banking customers via a reverse tunnel service, portmap.io.
• The campaign was improvised and has a low detection rate.
• Scammers are adopting new SaaS services which provide low code to zero code deployment of phishing websites such as portmap.io.

Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Modus Operandi

• Portmap is essentially a port forwarding service that allows threat actors to turn their local system into a web server that can be accessed via the internet without a real IP address.
• Using Portmap’s FREE PLAN, scammers sign up for the service, create a configuration for a free OpenVPN tunnel, and set up the rules to connect with the local machine.
• Once the OpenVPN configuration file is run on the local machine, it starts acting as a web server for the phishing website and the scammers get a phishing URL that looks like one of the following:
  • <targeted-entity-name>.protmap.io:<random-port-number>
  • <targeted-entity-name>.protmap.host:<random-port-number>
• The shareable phishing URL is then distributed via SMS to banking customers to create a panic situation.
• Before being distributed, these phishing URLs are occasionally disguised using URL shorteners.

Information from Open Source

• Upon further investigation, CloudSEK's research team discovered Tweets from a victim of one such scam, who is a customer of one of India's famous banks with a large customer base.

[caption id="attachment_20900" align="alignnone" width="605"] Tweet from the customer complaining about a phishing website[/caption]

Impact & Mitigation

Impact	Mitigation
Data collected from phishing sites can be sold on the dark web. Collected PII can also be used to create fake bank accounts and cards. Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a large scale. Loss of trust in banks impersonated by the sites.	Real-time scans to identify phishing domains, not just by the name, but also by trademarks and images. Awareness among customers regarding malicious URLs. Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• Cybercriminals Exploit Reverse Tunnel Services and URL Shorteners to Launch Large-Scale Phishing Campaigns

Also Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Appendix

[caption id="attachment_20901" align="alignnone" width="1081"] Plans for portmap.io[/caption]   [caption id="attachment_20902" align="alignnone" width="439"] Phishing Website asking for Internet Banking Details[/caption]