Zoho Form Service Leveraged to Exfiltrate Sensitive PII from Banking Customers

August 26, 2022
4
min read

 

Category:

Adversary Intelligence

Industry:

Finance & Banking

Motivation:

Finance

Region:

India

Source*:

A1

Executive Summary

THREAT IMPACT MITIGATION
  • Fake Twitter accounts impersonating banking entities to extort the victim’s PII & payment information via Zoho Forms.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Identify and report fake domains.
  • Create an inclusive awareness campaign for customers to educate them about the organization’s processes.

Analysis and Attribution

  • CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
  • Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
  • Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.
Flow of the modus operandi of the scam
Flow of the modus operandi of the scam

 

Modus Operandi

  • The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
  • The fake account has a display name and username similar to the real account.
  • Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
  • A fake customer care number and a shortened URL is provided by the actor.
  • The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
    • Phone Number
    • First and Last Name
    • Credit/Debit Card No
    • Expiry Date
    • C Code
    • Available Balance
  • Once submitted, the above PII details are forwarded to the threat actor.

 

Information from the Tweets

Upon analyzing the fake Twitter handle, the following information was uncovered:

  • The sentences used by the threat actor are professional and precisely written.
  • The following contact number was shared by the fake account: 8240201899.
  • OSINT performed on the number (8240201899) revealed the following:

Impact & Mitigation

Impact Mitigation
  • The collected PII can be used by threat actors to launch successful social engineering attacks against the victim.
  • Threat actors will gain sensitive banking information which may lead to financial loss.
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.

References

Appendix

Zoho forms misused by threat actors
Zoho forms misused by threat actors

Note: Zoho forms have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.

Fake twitter account impersonating - the official banking entity twitter account
Fake twitter account impersonating – the official banking entity twitter account

 

Reply from the fake twitter account on a customer’s post
Reply from the fake twitter account on a customer’s post

 

The mobile number - 8240201899 is reported as a scam number by victims The mobile number - 8240201899 is reported as a scam number by victims

The mobile number – 8240201899 is reported as a scam number by victims

More reply on customer’s tweet
More reply on customer’s tweet

 

 

Tags:
No items found.