Zoho Form Service Leveraged to Exfiltrate Sensitive PII from Banking Customers

Summary

CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
 
Category: Adversary Intelligence Industry: Finance & Banking Motivation: Finance Region: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Fake Twitter accounts impersonating banking entities to extort the victim's PII & payment information via Zoho Forms.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Identify and report fake domains.
  • Create an inclusive awareness campaign for customers to educate them about the organization's processes.

Analysis and Attribution

  • CloudSEK’s AI powered Digital Risk Protection (DRP) Platform identified a Twitter account involved in a new type of phishing scam campaign where the threat actor is misusing Zoho Forms to steal information from banking customers.
  • Further investigation revealed some suspicious comments made via a Twitter account impersonating the official customer care Twitter handle of a major bank.
  • Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.
Flow of the modus operandi of the scam
Flow of the modus operandi of the scam
 

Modus Operandi

  • The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture.
  • The fake account has a display name and username similar to the real account.
  • Using these accounts, the actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.
  • A fake customer care number and a shortened URL is provided by the actor.
  • The URL redirects the customer to a Zoho Form page which asks the user to input the following details:
    • Phone Number
    • First and Last Name
    • Credit/Debit Card No
    • Expiry Date
    • CVV
    • Available Balance
  • Once submitted, the above PII details are forwarded to the threat actor.
 

Information from the Tweets

Upon analyzing the fake Twitter handle, the following information was uncovered:
  • The sentences used by the threat actor are professional and precisely written.
  • The following contact number was shared by the fake account: 8240201899.
  • OSINT performed on the number (8240201899) revealed the following:

Impact & Mitigation

Impact Mitigation
  • The collected PII can be used by threat actors to launch successful social engineering attacks against the victim.
  • Threat actors will gain sensitive banking information which may lead to financial loss.
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.

References

Appendix

Zoho Form used by threat actor to steal banking information
Zoho Form used by threat actor to steal banking information
 
Fake twitter account impersonating - the official banking entity twitter account
Fake twitter account impersonating - the official banking entity twitter account
 
Reply from the fake twitter account on a customer’s post
Reply from the fake twitter account on a customer’s post
 
The mobile number - 8240201899 is reported as a scam number by victims The mobile number - 8240201899 is reported as a scam number by victims
The mobile number - 8240201899 is reported as a scam number by victims
More reply on customer’s tweet
More reply on customer’s tweet
   

Table of Contents

Request an easy and customized demo for free