A new phishing attack lurking to scam banking customers: Advisory


It has been discovered that Indian banking customers are being targeted by a new type of phishing attack that employs the ngrok platform, a one-of-a-kind web application that collects sensitive information like internet banking credentials, mobile numbers, and OTP in order to carry out fraudulent transactions.

Using the ngrok technology, attackers have approached banks clients to host phishing websites impersonating Indian bank internet banking platforms. The Indian Computer Emergency Response Team (CERT-In), is the government’s technical arm for combating cyber-attacks and protecting the internet from phishing, hacking, and other online threats.

How are the malicious actors tricking the banking customers into clicking their phishing websites?

The phishing attempts are initiated by sending SMS to banking customers with links ending in ngrok.io/xxxbank, which are made using email-to-text services. Where xxx denotes the bank’s name.

When a victim clicks on the link and logs into the website with his/her internet banking credentials, the attacker generates a two-factor authentication OTP that is sent to the victim’s mobile phone. The victim enters the OTP onto the webpage, which is captured by the attacker. The attacker gains access to the victim’s account and conducts fraudulent activities as a result of this.

Sample SMS looks like the one below:                               

“Dear customer your xxx bank account will be suspended! Please Re KYC Verification Update click here link http://446bdf227fc4.ngrok.io/xxxbank”.

Best practices to avoid these kinds of attacks-suggested by the cybersecurity agency:

Keep an eye out for unusual cellphone numbers; attackers often utilize email-to-text services to send SMSes to hide their identities, so these numbers aren’t the same as the genuine ones.

Instead of a phone number, genuine bank SMSs frequently include a sender id (composed of the bank’s short name).

Internet banking users are also advised to only click on URLs that clearly indicate the website domain, and if in doubt, to use search engines to find the bank’s website to ensure that the website they visited is genuine.

Users are recommended to hover their cursors over abbreviated URLs while visiting websites to read the full URL, or to use a URL checker to view the entire URL. Bank customers should also be aware of any misspellings and/or letter substitutions in the URLs of websites they visit.

Other counter-measures include the frequently repeated guidelines that are recommended for safe internet browsing and access.

• Install and maintain up-to-date anti-virus and anti-spyware software, filtering tools (including anti-virus and content-based filtering), firewalls, and filtering services.

• Refresh spam filters with the most recent spam mail content. Customers should immediately report any odd activity in their accounts to their respective banks.

Customers should immediately report any odd activity in their accounts to their respective banks.

Follow and connect with us on Facebook, LinkedIn & Twitter