ESET, a pioneer company in antivirus protection and an expert in cybersecurity, has discovered many emails that pretended to be two banking entities that operate in Spain, such as Ibercaja and Liberbank. The format of the message was similar in both cases, with the logo of the supplanted bank and a message alerting us to a security problem with our account or bank.
Ibercaja and Liberbank are the hooks of a campaign to supplant the identity and access user accounts and cards
In the emails supplanting Ibercaja , for example, the recipient was informed that our bank card would be suspended unless we checked the problem by clicking on the link provided.
For its part, the emails that supplanted Liberbank refer to the deactivation of our account, having to confirm our identity and authorize some alleged pending payments in another link provided in the email. An important fact is that both emails were sent from the same email address belonging to a Belgian domain.
The use of the same email and the use of a similar template for the body of the message, together with the proximity in time of both campaigns, are lucid indications that the same people are bottom them, something that we can finish confirming by analyzing phishing websites set up to trick users into taking the bait.
Reviewing fraudulent websites
The technique criminals use to lure users to groomed phishing sites is by trying to receive them to click on the link in the email. Notwithstanding, this link does not point directly to the malicious websites, but first leads to a randomly generated domain using the Clickfunnels service, and then redirects to a compromised website that uses the WordPress content manager and is hosted by on the EasyWP service.
In the case of Ibercaja, we see how criminals use the corporate color and logo of the bank on a website that requests the identification code and password to try to convince the user.
The same happens in the case of Liberbank phishing , where it is also redirected to a compromised website hosted on EasyWP that imitates the entity’s corporate identity and requests that the user name and password used to access banking services be entered. on-line.
It should be famous that the two websites that have been compromised by the criminals have a valid security certificate and that is why the padlock is displayed next to the URL. This can confuse some users, mistakenly thinking that they are facing a secure website when, in fact, the security certificate is only responsible for verifying that the connection is secure, not that the website is.
After entering the access credentials, the next object that the criminals request is the credit card data, with all the essential data both to make purchases online and to pay in establishments and withdraw cash from an ATM.
We can see how different templates are used depending on the impersonated entity, trying to make them as credible as possible for the victims, including logos of the impersonated entities and supposed links to other parts of the web that, in reality, do not lead to any place.
Finally, and aware of the security measures implemented by most banks for a long time, the last step is to request the security code that banks generally send to their users when they try to carry out a banking operation that involves moving money. .
In this case, each impersonated bank has its own template to request this code, and it is very possible that whether a victim has reached this point, they will have no problem entering the security code. This will allow money transfers from the victim’s account to other accounts, usually controlled by muleteers who then forward the stolen money to the criminals in exchange for a commission.
At this point, it is important to note that the templates observed on the fraudulent websites are very similar to others formerly seen in preceding phishing campaigns against Ibercaja and Liberbank. This may be clear evidence that criminals are using a similar phishing kit, although this time they have not bothered to register domains similar to the original ones and have instead opted to compromise the security of vulnerable websites.