Summary
Netskope Threat Labs is tracking phishing campaigns targeting customers of seven different financial institutions across North, Central, and Latin America, aiming to steal their credentials to make fraudulent transactions. Attackers are abusing the Royal Web Hosting company, which provides a free web hosting plan, to host the malicious pages. Furthermore, the majority of these pages are abusing Telegram channels to not only receive stolen data, but also to bypass two-factor authentication (2FA) in some cases.
We have also found more than 130 pages targeting Microsoft users, all of them in Spanish. In this blog post, we will show how this attack works and how to stay protected against this kind of phishing.
How it works
The diagram below illustrates how this attack works. A Telegram channel is used to receive the stolen username and password of banking or Microsoft 365 accounts. The channel is also used to bypass 2FA when enabled.
This is how it works:
- The phishing’s main page mimics the real website, which could be a financial institution or a Microsoft 365 login page;
- When the victim adds the credentials, they are automatically sent to the attacker’s Telegram channel;
- The attacker can then use this information to log into the real website. When 2FA is enabled, the real website would automatically send or ask for the code from the user’s mobile device;
- The phishing page then asks the user for a 2FA code, which is also sent to the attacker’s Telegram channel when added by the victim;
- With the stolen information, the attacker is able to successfully authenticate to the real website, allowing them to perform malicious transactions or access the victim’s personal email and data.
Example
The main page shows a fake login page of a financial institution, asking for the victim’s document number and password.