Advanced Wells Fargo Phishing Campaign
Today I was rather surprised to receive the following text message:
+503 7525 3593> Today 12:26 PM
Your Wells Fargo OTP: 462587 If you didn’t do this, please visit https://s.id/myaccounts to regain. Reply STOP to ignore.
Now as a cybersecurity professional, I can already see (even without being a current Wells Fargo customer) that this is a phishing attempt. However, my curiousity got the best of me and I wanted to play this one out to see what intel it may yield. I have to say, I was quite impressed by this threat group’s efforts. Let’s examine…
First, the URL referenced above brings you to a CAPTCHA verification page. Because, of course, only the most reputable of sites will use CAPTCHA, right? (Note the tongue in cheek!)
Notice the domain name is use? Not exactly screaming “Wells Fargo” but the rest of the page looks legit to a typical person. Especially when they’re already in a panic to figure out what’s wrong with their bank account.
** Please note for the remainder of this piece, I’m presenting myself as an unsuspecting individual. (And excuse my choice of name and email address supplied.) I supplied my username and password as requested.
And because it seems like a legitimate Wells Fargo site, and they’re asking it of me, I enter my email address and password for my email account.
However, they didn’t like my bogus entry for email address. So, I used one from 10minemail.com and entered the minimum number of characters (4) for a password.
Now, I enter in my credit card details…
Along with my ATM pin of course! Why not? My bank needs to verify that it’s me, right?
Oh and because I was sad that I wasn’t asked to complete the “Personal Details” tab, they were kind enough to return me there so I could provide my name, social security number, date of birth, address and phone number.
They kindly thank me, before redirecting me back to the (real) Wells Fargo domain. But, (and this is a BIG but…) not before capturing all the data that I’ve entered for their malicious use or resale on the dark web.
Okay, enough sarcasim now. Had I been an average Wells Fargo customer, this type of SMSishing attack may have very well worked and all my personal and financial data compromised in the process.
Thankfully, however, before I could put this post up, Brave had already reacted with their content filtering capabilities in their browser. And, as of now the malicious URL has been taken down. However, as history has shown us time and time again, it won’t take long at all for these actors to spin up a new domain and continue their attack.
Be safe out there.
- Pay attention to URLs shown in your address bar and know that a padlock doesn’t mean that it’s not a malicious site. Bad actors can get a site certificate and use https connections too!
- If you’re in question - TYPE THE KNOWN-GOOD WEBSITE ADDRESS IN MANUALLY and then log in from there.
- Look for obvious misspellings or grammar mistakes that can indicate English is not the first language of the attacker.
- Remember that nobody is ever going to ask you for your email address and email password online other than your email hosting provider when you login.
- If it seems fishy, it probably is phishy.