Hackers Exploit Trusted Platforms to Steal Banking Credentials from Philippine Users
A sophisticated phishing campaign has been targeting banking customers in the Philippines since early 2024, leveraging trusted internet platforms to steal sensitive banking credentials and one-time passwords (OTPs). This operation, identified by Group-IB CERT researchers and tracked under the threat actor label PHISLES, has been active for over two years, affecting more than 400 individuals and impersonating at least three major Philippine banks.
Phishing Tactics and Execution
The attackers initiate their scheme by sending emails that appear to originate from legitimate sources, alerting recipients to unauthorized transactions or suspicious logins. These messages prompt users to click on links leading to counterfeit banking websites designed to harvest login credentials and OTPs. Once the information is obtained, the attackers swiftly withdraw funds from the victims’ accounts, often within minutes, as evidenced by social media posts from affected individuals.
Utilization of Compromised Email Accounts
A key factor in the campaign’s success is the use of compromised email accounts to distribute phishing messages. By employing real email addresses sourced from combolists—databases of stolen credentials traded on dark web forums and Telegram channels—the phishing emails gain an appearance of legitimacy. This tactic enables the messages to bypass spam filters and security measures, increasing the likelihood of deceiving recipients.
Exploitation of Trusted Platforms
To evade detection by Secure Email Gateways and other security tools, the attackers have adopted a strategy of routing victims through chains of reputable platforms before directing them to the fraudulent banking sites. This method ensures that all visible links appear legitimate, thereby reducing suspicion.
The platforms exploited in this campaign include:
– Google Business Profile Links: Utilized for their trusted domain reputation, making them less likely to be flagged by security systems.
– Google’s AMP CDN (cdn.ampproject.org): Employed to mask phishing URLs, presenting them as Google addresses.
– URL Shorteners (e.g., loom.ly, shorturl.at): Used to conceal suspicious destinations behind innocuous-looking links.
– Google Cloud Workstations: Leveraged to create temporary redirectors with valid SSL certificates, enhancing the credibility of the phishing sites.
– Cloudflare-Managed Domains (workers.dev and pages.dev): Exploited for their automatic HTTPS and global routing capabilities, allowing attackers to generate new subdomains rapidly when older ones are blocked.
In a particularly alarming development, the attackers hijacked a legitimate Philippine educational institution’s domain to create hidden subdomains. These subdomains were used to host phishing pages, further enhancing the perceived legitimacy of the fraudulent sites.
Implications and Recommendations
The PHISLES campaign underscores the evolving tactics of cybercriminals who exploit trusted platforms to conduct phishing attacks. By leveraging reputable services, attackers can effectively bypass traditional security measures, making it imperative for individuals and organizations to remain vigilant.
To mitigate the risk of falling victim to such schemes, consider the following recommendations:
1. Verify Email Sources: Scrutinize unexpected emails, especially those requesting sensitive information or prompting urgent actions.
2. Avoid Clicking Suspicious Links: Hover over links to preview the URL before clicking. Be cautious of shortened URLs or links that redirect through multiple platforms.
3. Enable Multi-Factor Authentication (MFA): While MFA adds an extra layer of security, be aware that sophisticated phishing attacks may attempt to bypass it. Always verify the authenticity of requests for MFA codes.
4. Monitor Account Activity: Regularly review bank statements and account activities for unauthorized transactions.
5. Educate and Train: Stay informed about the latest phishing tactics and participate in cybersecurity awareness programs.
By adopting these practices, individuals can enhance their defenses against phishing attacks that exploit trusted platforms.
