Since the end of 2019 there has been a change in bank phishing campaigns against Italian users who have introduced the combined use in a massive manner of methods until then used exclusively for targeted attacks, such as:
- Vishing (telephone phishing);
- Smishing (SMS with malicious content);
- Malware (malicious APK);
- Spoofing (Spoofing of the callerid or sender of the SMS);
- Ad Hoc Domains (Creating new domains similar in name to the original);
- Toll Free Numbers (Used to make communications more reliable).
It also changes the criminal figure that is no longer foreign but Italian. A fundamental figure for a social engineering attack that is no longer only spread through digital technology but also by phone, the knowledge of the mother tongue becomes useful to best trick the victim and lead it step by step to perform unwanted actions.
As a result, phishing campaigns have also grown rapidly, reaching more than 800 separate campaigns per week to Italian banks or financial services.
Phishing campaigns against Nexi
Since May 2022 we have identified a new criminal actor which target customers of Nexi SpA, the PayTech of digital payments in Italy, distinguishable from the creation of domains created Ad Hoc very faithful to the original (usually uses different TLDs but the domain uniquely contains the word “Nexi”, ex Nexi[.]shop, Nexi[.]club, etc) and a Phishing SMS full of information and details.
It is in fact unusual for a phisher to write a verbose text message in which could be multiple errors but also hope that the user reads the first words and click on the link immediately. In this case we have a message full of information and details:
NEXI: La tua utenza é stata disabilitata visto che non abbiamo ricevuto nessuna risposta alla nostra richiesta di verificare il tuo profilo online.
Per risolvere subito questo problema e per riabilitare l’uso della tua carta, ti preghiamo di effettuare subito l’aggiornamento dei dati online, altrimenti, la tua utenza verrà bloccata temporaneamente per accertamenti fiscali.
La verifica del tuo profilo può essere effettuata cliccando sul link sottostante:
Ci scusiamo per gli eventuali disagi creati .
Reparto Sicurezza Nexi
After clicking on the link, the victim is directed to a phishing portal that, step by step, requires him to:
- Email address of your Nexi account;
- Credit Card Details (PAN, Expiration and CVV).
Finally warn the user: “To re-enable the use of his card, click the button below to download the new security app.”.
Usually the user is then invited to download an APK from a third party that has the task of picking up SMS or Notifications, but being an App provided by an unofficial store the user must follow a non-standard procedure and sometimes he might understand that it is a malicious application.
Malicious App in official stores
Since May 2022 this criminal team has instead managed to get an application approved on the Google Play Store and on the Huawei AppGallery in order to make the installation much easier and give the user more confidence in its installation.
The application in the official stores, called PSD2 Protector or PSD2 Auth Protector, is intended as a tool to secure the user’s smartphone. Protecting the user from viruses, ransomware, malware and other online threats when making banking operation and online purchases.
After the installation the App requests access to the user’s notifications and to encourage the user to grant such permission shows the victim the following message:
“PSD2 Protector needs this permission to make payments smoother and to ensure that no third party access to the security code is made.”
Once this permission has been obtained, the application forwards to the criminals every notification that the user has received, from the text SMS, to the notification of the Banking Application, to the message on whatsapp, etc.
The intent is clearly to steal SMS or Authorization notifications containing OTP codes and then be able to arrange illicit payments on credit cards of victims.
Analysis of APK
Analyzing in more detail the application having as Package Name adv.roma.sll.app we find that by default requires the following permissions:
Then, as indicated above, prompts the user to access all notifications:
The communication between the application and the criminal takes place through MySQL using the Free MySQL Hosting service. Below is the function that will be called each time a new information must be communicated to the C2:
The App then informs the phisher C2 that a new application has been installed:
Should the user receive a new notification, the application will collect the content and send it to the C2 server:
The application is also prepared to send SMS and take screenshots even if currently these functions are not in use.
Indicators of Compromise (IoC)
- PSD2 Protector_3.0.apk
- MD5: 1ff39d2651c218009886339d213c8353
- SHA1: 6bbe80e056472b56fdb718aa815e25bd1f93b921
- SHA256: bd622ee1c8f06a6339e7d7a468ad4e52bead583c326b16d0a8dd1e6ad452e886
- PSD Auth Protector_3.0.apk
- MD5: 95d33595783ede50bd428a18823ca0a9
- SHA1: eb32d6ae8ef6d4f5c8c408d5b1556d9b89b8b514
- SHA256: 9b8a806dc3bf50984944140c502c02f87d5661927e8172da60b506e9b41ec2b5
- 01/06/2022: D3Lab alerted Google of the presence of a malicious application in their App Store;
- 01/06/2022: D3Lab alerted Huawei of the presence of a malicious application in their App Store;
- 02/06/2022: The application has been removed from the Google and Huawei App Store!