Cybercriminals targeted mobile banking users by sending malicious SMS messages to their smartphones as part of a phishing campaign to steal account holders' information, including usernames and passwords, according to the cybersecurity firm Lookout.
More than 3,900 mobile banking app users of several Canadian and American banks fell victim to the SMS phishing attacks, which started in June 2019 and apparently recently ended, researchers at Lookout say in their new report.
Those affected included customers of Scotiabank, CIBC Bank, RBC Royal Bank, UniBank, HSBC, Tangerine Bank, TD Bank, Meridian, Laurentian, Manulife, BNC National Bank and Chase, according to the report. The researchers notified the banks involved before publishing their report on Friday.
The attackers attempted to gain access to users' banking credentials, such as payment card numbers, usernames and passwords, as well as personal details, including dates of birth, according to Lookout.
Apurva Kumar, a staff security intelligence engineer at Lookout, tells Information Security Media Group that his firm does not have information on the specific accounts that were compromised or how the attackers may have tried to monetize the data that they collected.
The Lookout researchers note in their report that smartphone users are more susceptible to phishing attacks because the features, functionality and screen size of these devices make it more difficult to discern if the message is fraudulent or a website link is fake, according to the report.
SMS as Malicious Tool
The phishing campaign that the Lookout researchers describe in their report used malicious SMS messages to lure victims into clicking on links that would take them to fake login pages of banks. These fake sites mirrored the real mobile banking sites of these firms, including using the same layout and sizing, according to the report.
Once a targeted victim reached the fake site, they were asked to input their username, password and other details, which were then collected by the attackers, the researchers say.
Examples of fake mobile banks sites used in phishing campaign (Source: Lookout)
The attackers only targeted mobile users and spoofed the websites that were built specifically for smartphones, according to the report. With the increasing use of multifactor authentication, banks often send passwords to customers via SMS, which means customers are accustomed to receiving text messages from their banks, the report adds.
"Since mobile users are typically on the move and less likely to scrutinise the authenticity of an SMS message, text messages have become an attractive new attack vector," the researchers say.
The fake websites feigned legitimacy by taking the victims through a series of security questions, asking them to confirm their identity with the card's expiration date or double-checking the account number, according to the report. The pages also had links such as "Mobile Banking Security and Privacy" or "Activate Mobile Banking."
Lookout said it identified over 3,900 unique IP addresses of victims who clicked on a malicious link over a seven-month period.
Some victims clicked on the link but did not provide any information; some provided only a few details; while others entered all the details requested by the cybercriminals, according to the report.
The researchers found more than 200 phishing pages that were part of the campaign. One of the phishing links that the researchers studied had over 800 unique clicks, according to the report.
The researchers also discovered an "automated SMS tool" linked to the campaign that the attackers may have used to create unique messages to victims victims.