- Table of contents
The author
Highly motivated, problem solver, dot connector, energetic multi-dimensional & professional management with commercially oriented, customer service skills & PMO abilities in high-growth, fast-paced organizations.
Table of contents
Related Articles
Phishing operators abuse bank APIs to improve phishing TTPs
Summary
True Login phishing kits are continuously being developed by threat actors to improve their TTPs in luring victims. By using true login kits, the phishing operators have a higher chance of making potential victims believe they are logging into the real website. True login kit developers are abusing publicly available APIs of the banking company to be able to query login information to be shown to potential victims, in turn luring the victim even further into the operations.
How It Works
Theoretically, the steps to obtain and develop a True Login phishing kit are:
- 1. Threat actor hunts for publicly available APIs that can return login information
- By reverse engineering the mobile banking APK file.
- By analyzing the network traffic of the online banking system.
- Other unknown techniques
- Test the API to see what kind of information it returns.
- Integrate the API to an already developed phishing kit.
Upon deployment of a phishing website using the true login kit, the following steps will take place:
- Threat actor spams phishing email/SMS to lure victims to clicking a link to a phishing
website. - Upon a victim’s input of credentials (sometimes with OTP) to the phishing website
containing a true login phishing kit, the backend code of the website connects to the API to
query information using the credentials. (Example of information, below)- If the input credentials exist (real banking customer)
- Account name
- Account profile picture
- Account balance
- Account number
- Mobile number
- Security information
- PII (address, age, birthday, etc.)
- The phishing website will then show this information to the victim which in turn makes the victim believe the phishing website even more that it is the real website.
- Victim can be lured more into inputting more information to the phishing website.
- If the Threat Actor decides to call the victim, the information can be used by the TA into making the victim believe that he is really from the bank.
- Some Threat Actors also use the information to decide if they should continue to steal from the victim or not. E.g.: If the victim has an account balance lower than the TA’s liking, the TA
can decide to stop pursuing the victim.
Sample Code
Cyberint has obtained some True login kits and below are obfuscated code snippets that show kits
abusing APIs.
Recommendations
Cyberint recommends running a security scan on APIs that are used in mobile and online banking.
Furthermore, it is recommended to secure the APIs further by adding validation check to all the
queries and connection to the APIs.
