Zoho Form Service Leveraged to Exfiltrate Sensitive PII from Banking Customers

CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
Updated on
April 19, 2023
Published on
August 25, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Finance & Banking Motivation: Finance Region: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Fake Twitter accounts impersonating banking entities to extort the victim's PII & payment information via Zoho Forms.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Identify and report fake domains.
  • Create an inclusive awareness campaign for customers to educate them about the organization's processes.

Analysis and Attribution

  • CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
  • Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
  • Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.
[caption id="attachment_20446" align="alignnone" width="804"]Flow of the modus operandi of the scam Flow of the modus operandi of the scam[/caption]  

Modus Operandi

  • The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
  • The fake account has a display name and username similar to the real account.
  • Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
  • A fake customer care number and a shortened URL is provided by the actor.
  • The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
    • Phone Number
    • First and Last Name
    • Credit/Debit Card No
    • Expiry Date
    • C Code
    • Available Balance
  • Once submitted, the above PII details are forwarded to the threat actor.
 

Information from the Tweets

Upon analyzing the fake Twitter handle, the following information was uncovered:
  • The sentences used by the threat actor are professional and precisely written.
  • The following contact number was shared by the fake account: 8240201899.
  • OSINT performed on the number (8240201899) revealed the following:

Impact & Mitigation

Impact Mitigation
  • The collected PII can be used by threat actors to launch successful social engineering attacks against the victim.
  • Threat actors will gain sensitive banking information which may lead to financial loss.
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.

References

Appendix

[caption id="attachment_21578" align="aligncenter" width="797"]Zoho forms misused by threat actors Zoho forms misused by threat actors[/caption] Note: Zoho forms have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information. [caption id="attachment_20448" align="alignnone" width="746"]Fake twitter account impersonating - the official banking entity twitter account Fake twitter account impersonating - the official banking entity twitter account[/caption]   [caption id="attachment_20449" align="alignnone" width="739"]Reply from the fake twitter account on a customer’s post Reply from the fake twitter account on a customer’s post[/caption]  
The mobile number - 8240201899 is reported as a scam number by victims The mobile number - 8240201899 is reported as a scam number by victims
The mobile number - 8240201899 is reported as a scam number by victims [caption id="attachment_20452" align="alignnone" width="738"]More reply on customer’s tweet More reply on customer’s tweet[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations