| Category:
Adversary Intelligence |
Industry:
Banking and Finance |
Motivation:
Financial |
Region:
Asia & Pacific |
Source*:
A1 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Portmap.io misused in phishing campaign targeting Indian banking customers.
- Phishing URLs distributed via smishing techniques.
- Registered banking users are prompted to provide their PII.
|
- PII collected can be sold on the dark web or to create fake bank accounts.
- Many phishing links are not present on the internet, making it difficult to classify before the campaign launches on a scale.
- Loss of trust in banks impersonated by the sites.
|
- Real-time scans to identify phishing domains by name, trademarks, and images.
- User awareness campaigns regarding malicious URLs.
- Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.
|
Analysis of the Phishing Campaign
- CloudSEK’s contextual AI digital risk platform XVigil, uncovered another phishing campaign targeting Indian banking customers via a reverse tunnel service, portmap.io.
- The campaign was improvised and has a low detection rate.
- Scammers are adopting new SaaS services which provide low code to zero code deployment of phishing websites such as portmap.io.
Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers
Modus Operandi
- Portmap is essentially a port forwarding service that allows threat actors to turn their local system into a web server that can be accessed via the internet without a real IP address.
- Using Portmap’s FREE PLAN, scammers sign up for the service, create a configuration for a free OpenVPN tunnel, and set up the rules to connect with the local machine.
- Once the OpenVPN configuration file is run on the local machine, it starts acting as a web server for the phishing website and the scammers get a phishing URL that looks like one of the following:
- <targeted-entity-name>.protmap.io:<random-port-number>
- <targeted-entity-name>.protmap.host:<random-port-number>
- The shareable phishing URL is then distributed via SMS to banking customers to create a panic situation.
- Before being distributed, these phishing URLs are occasionally disguised using URL shorteners.
Information from Open Source
- Upon further investigation, CloudSEK's research team discovered Tweets from a victim of one such scam, who is a customer of one of India's famous banks with a large customer base.
[caption id="attachment_20900" align="alignnone" width="605"]
Tweet from the customer complaining about a phishing website[/caption]
Impact & Mitigation
| Impact |
Mitigation |
- Data collected from phishing sites can be sold on the dark web.
- Collected PII can also be used to create fake bank accounts and cards.
- Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a large scale.
- Loss of trust in banks impersonated by the sites.
|
- Real-time scans to identify phishing domains, not just by the name, but also by trademarks and images.
- Awareness among customers regarding malicious URLs.
- Policies to ensure that reverse tunnel service providers assist victims to takedown such sites.
|
References
Also Read Advanced Phishing Scams Target Individuals & Businesses in the Middle East
Appendix
[caption id="attachment_20901" align="alignnone" width="1081"]
Plans for portmap.io[/caption]
[caption id="attachment_20902" align="alignnone" width="439"]
Phishing Website asking for Internet Banking Details[/caption]
