14 DAY TRIAL // Security researchers from Symantec warn of a phishing campaign, which promises free mobile credits in order to trick online banking users into exposing their credentials and phone numbers.
This particular attack targeted customers of an Italian bank, but it's a good indication of the various methods used by phishers to lure in their victims.
The phishing page was hosted on a domain that was a typo of the bank's real Web address, a technique kown as typosquatting.
The site claimed that if the users recharged their mobile credit through the bank system with 10 euros, they would receive an additional 40 euros as bonus.
That's a tempting offer and the attackers probably hoped that it would distract the victims enough for them to miss the fake domain name.
This attack is a double phishing attempt, because the users are first asked to log in into their account, which exposes their online banking credentials, and then they have to input their mobile phone numbers.
"The phishing page further requested a password of the customer’s mobile device in order to complete the transaction.
"After the password is entered, a message is displayed that the recharge will be delivered within 24 hours," writes Mathew Maniyara, a researcher at Symantec.
Unfortunately, Mr. Maniyara does not go into details about the nature of this password or how it would possibly be usefull to the attackers.
It would make sense if it's a one-time password (OTP) generated by a mobile application supplied by the bank to its customers. Such codes are used as an additional security layer to authorize transactions and other operations.
With the wide adoption of multi-factor or multi-layered security systems by banks, fraudsters are finding it increasingly difficult to abuse stolen online banking credentials.
Even the infamous ZeuS banking trojan has recently got updated with a mobile component aimed at stealing banking security codes sent via SMS to users.