Online Banking Customers Targeted by Sophisticated Social Engineering Scheme

Proofpoint researchers reported observing phishing attacks targeting Austrian banking customers since the beginning of 2017. These customers received emails they believed to have originated from their banks containing a URL provided by Bitly, a URL-shortening service and link management platform. This shortened URL resolved to a phishing site masquerading as the legitimate bank’s website. To appear authentic, the domain name of the phishing site included the bank’s name. However, to log into the fraudulent site, customers needed to enter their account numbers and associated PINs, followed by their email addresses and phone numbers. The site then prompted customers to download a mobile application to proceed. If customers downloaded the application, their mobile devices were infected by Marcher, a banking trojan designed to capture additional sensitive information by creating overlays above legitimate applications already installed on devices. This campaign is one of the few observed that uses a multi-pronged approach to gather a range of sensitive information from victims and demonstrates a possible shift towards more sophisticated tactics as both technology and end users become increasingly capable of detecting phishing attempts. Although this threat is only believed to be targeting customers of Austrian banks at this time, it is important to note that these same tactics could easily be used to target victims within the US. The NJCCIC recommends all mobile device users and online banking customers educate themselves on these types of social engineering tactics, only download trusted applications from official app stores, and refrain from downloading mobile applications from third-party sources. Additionally, we strongly recommend never using links provided in unsolicited emails to visit websites that require the input of account credentials. Users who have questions regarding the status of any of their online accounts should visit the associated websites by typing the legitimate address directly into the URL field of their web browsers.