Singaporean firm spots phishing campaign targeting Vietnamese victims

The campaign was launched back in 2019 with its first domain registered in May 2019. Since the onset, Group-IB has detected and taken down 240 interconnected domains, but new domains regularly emerge.

The latest, which is part of the cybercriminals’ infrastructure, was activated on June 1, 2022. Group-IB is continuing to cooperate with local authorities to block new domains, further containing the fraudulent operation.

While the number of victims remains unknown, Group-IB believes that at least 7,800 users, including 5,500 from Vietnam, have visited the domains since early 2021 and could fall prey to phishing.

Experts revealed that cybercriminals behind the campaign leveraged SMS, Telegram and What’s App messages, and even comments on Facebook pages of legitimate financial firms to redirect victims to their phishing websites.

One of the scammers’ SMS informs victims that they have won a gift and need to login to their bank portal to claim it. The scammers then provide shortened URLs to the victims for login.

Upon clicking on the URLs, the victims will be linked to a fake webpage featuring the logos of 27 highly-reputed banks. Once they pick their banks from the list, they are forwarded to another phishing page that disguises as a legitimate bank portal.

Should the victims input their credentials into the portal, they will be taken to the next where a One Time Password (OTP) is requested. After they submit their OTP via the fake authentication page, the cybercriminals instantly get full access to their bank accounts.

This duplicitous tactic allows phishers to steal money from victims' accounts and harvest their personal data, which will be traded in the underground cyber-community and purchased by criminal actors for follow-up attack on the victims.

Group-IB recommends users stay vigilant to any suspicious URLs on the browser and be wary of webpages that appear to malfunction or create long chains of redirection. 

They should also avoid purchasing from unauthorised sellers and clicking on links that offer large discounts. These links are likely fraudulent. It is critically important to confirm the credibility of the source in the first place.

Addtionally, users should enable two-factor authentication wherever possible and change passwords from time to time to keep data thefts at bay.

Banks impersonated by scammers should implement regular monitoring to detect fake sites that misuse their legitimate brand names and swiftly inform cybersecurity authorities to neutralise these malicious sites.

They should also utilise the automated machine-learning based Digital Risk Protection System to improve their knowledge about cyber risks and criminal tactics, thereby averting future attacks.