Financial Services

Phishing operators abuse bank APIs to improve phishing TTPs

Summary

True Login phishing kits are continuously being developed by threat actors to improve their TTPs in luring victims. By using true login kits, the phishing operators have a higher chance of making potential victims believe they are logging into the real website. True login kit developers are abusing publicly available APIs of the banking company to be able to query login information to be shown to potential victims, in turn luring the victim even further into the operations.

Phishing abuse bank APIs 1
Threat Actors selling true login phishing kits

How It Works

Theoretically, the steps to obtain and develop a True Login phishing kit are:

  1. 1. Threat actor hunts for publicly available APIs that can return login information
    • By reverse engineering the mobile banking APK file.
    • By analyzing the network traffic of the online banking system.
    • Other unknown techniques
  2. Test the API to see what kind of information it returns.
  3. Integrate the API to an already developed phishing kit.

Upon deployment of a phishing website using the true login kit, the following steps will take place:

  1. Threat actor spams phishing email/SMS to lure victims to clicking a link to a phishing
    website.
  2. Upon a victim’s input of credentials (sometimes with OTP) to the phishing website
    containing a true login phishing kit, the backend code of the website connects to the API to
    query information using the credentials. (Example of information, below)

    • If the input credentials exist (real banking customer)
    • Account name
    • Account profile picture
    • Account balance
    • Account number
    • Mobile number
    • Security information
    • PII (address, age, birthday, etc.)
  3. The phishing website will then show this information to the victim which in turn makes the victim believe the phishing website even more that it is the real website.
  4. Victim can be lured more into inputting more information to the phishing website.
  5. If the Threat Actor decides to call the victim, the information can be used by the TA into making the victim believe that he is really from the bank.
  6. Some Threat Actors also use the information to decide if they should continue to steal from the victim or not. E.g.: If the victim has an account balance lower than the TA’s liking, the TA
    can decide to stop pursuing the victim.

Sample Code

Cyberint has obtained some True login kits and below are obfuscated code snippets that show kits
abusing APIs.

Phishing abuse bank API Code
Code snippet of a true login phishing kit connecting to an exposed API possibly used by a third party vendor.
Code snippet of a true login phishing kit connecting to a server controlled by the TA that possibly connects to an open Banking API.
Code snippet of a true login phishing kit connecting to a server controlled by the TA that possibly connects to an open Banking API.

Recommendations

Cyberint recommends running a security scan on APIs that are used in mobile and online banking.
Furthermore, it is recommended to secure the APIs further by adding validation check to all the
queries and connection to the APIs.