Warning phishing attack for bank users in Vietnam

According to Group-IB, a company providing network security services, it has just detected a large-scale phishing attack campaign impersonating 27 major financial institutions in Vietnam.

Accordingly, the above campaign was launched in May 2019, with the first domain name registration. The latest phishing domain name was activated on 1/6/2022.

Group-IB’s Computer Emergency Response Team (CERT-GIB) has identified approximately 240 affiliated domains within the infrastructure of the phishing campaign. When detecting abnormal activity, CERT-GIB immediately notified the Vietnam Cyber ​​Emergency Response Center (VNCERT/CC) under the Information Security Administration, Ministry of Information and Communications (TT&TT).

Currently, all detected domains have been blocked. However, new domains still appear regularly. The reason lies in the design of the infrastructure itself: Domain names only work for a short time, making their detection and removal complicated. “For this reason, the actual number of domain names can be much higher,” commented Group-IB experts.

The infrastructure of the scammers. (Photo: Group-IB)

As for how to do it, hackers use fake SMS, Telegram and WhatsApp messages, and even comments on Facebook pages of legitimate Vietnamese financial services companies to lure victims into websites. cheat.

Phishing messages disguised as official messages come from banks, exchanges or e-commerce companies. For example, a text message that informs the victim that they have been given a gift and needs to log in to the bank’s page to receive the gift, and that this opportunity will expire soon, thereby creating motivation. push the user.

One of the tactics of the campaigners is to use shortened URLs that make it impossible for the average user to distinguish the legitimacy of the URL.

Message sent by scammer

By clicking on those links, the victim is redirected to a fake website, either as a standalone page or as a drop-down option whereby the victim can choose the bank they are registered with.

When the victim selects a bank from the list, they are redirected to another scam page, which looks like the bank’s legitimate page. After the victim enters a username and password, they will be taken to the next fake website asking for a One-Time Password (OTP).

At this point, the scammers use the stolen credentials to log into the victim’s real account. After the victim receives the OTP from their bank (at the request of the scammers) and enters the code into the fake authentication page, the cybercriminals can gain full access to their bank account. surname. With this information, they can also initiate illegal transactions.

After the victim “logs in” to the fake website, they will receive a message saying “the transaction is still in progress”.

This method of duplication allows cybercriminals to steal funds from victims’ accounts and collect large amounts of personal data (such as names, addresses, national or citizen identification numbers, numbers, etc.) phone number, date of birth and occupation). This information will be bought and sold again and again in the cybercriminal community or sold to the bad guys for further attacks on the victim.

* Invite readers to watch programs broadcast by Vietnam Television on TV Online and VTVGo!