The long-running scam (SMS/social media phishing)has been detected and reported, but it is still raging due to efficient evasion techniques.

As you read this article, the SMS/Social-media phishing attack described herein is still active in Vietnam.

The phishing scheme involves the impersonation of 27 reputable banks and financial institutions in Vietnam to release rogue messages on SMS, Telegram and WhatsApp and Facebook to lure victims.

The fraudulent messages are disguised to look like official communications coming from real banks, marketplaces or e-commerce companies. Typically, the messages inform victims that they have been awarded a gift (claim date expiring soon) and need to log in to their banking portal to claim it. Some tactics used to boost success include:

  • the use of shortened URLs to prevent casual users from easily differentiating the legitimacy of the URL
  • the registration of fake web pages that mimic the original websites with actual corporate logos
  • the use of realistic phishing pages disguised as those of the legitimate banking portal. Should the victims input their username and password, they are taken to a subsequent fake web page where a One Time Password (OTP) is requested. At this point, the fraudsters use the already stolen credentials to log in into the victims’ real accounts to request a real OTP from their bank. Once the victims submit the OTPs, the scammers even present victims with a message indicating that “the transaction is still processing”, to stall for time.

Besides stealing bank funds, the attackers reap vast amounts of personal data which can then be actively traded in the cybercriminal underground community for further targeted follow-up attacks.  

To date, the campaign appears restricted to bank customers in Vietnam. In the meantime, users should note that communications from their financial institutions that seek to create a sense of urgency or intimidation are red flags. It is important to pay attention to the domain name of the URL in the browser and be wary of websites that appear to malfunction or create long chains of redirection.

Users should avoid purchasing from unauthorized resellers or clicking on links that offer discounts. They are likely fraudulent, and it is critically important to confirm the credibility of the source. Ascertain if it is your financial institution’s official website, look for reviews, and call customer support if you are suspicious. Enabling two-factor authentication wherever possible and changing passwords from time to time are also good habits. 

Scam campaign history

According to Group-IB, which released the above findings, as many as 240 interconnected domains had been set up since May 2019 for this scam. At least 7,800 potential victims are believed to have visited the 44 phishing resources tracked.

In actuality, the overall number of visitors and affected users is believed to be significantly higher, taking into account the scale, duration of the fraudulent operations and the degree of sophistication in the methods used by the cybercriminals.

To date, all 240 domains have been blocked following discovery and reporting to the local authorities. Although those domains are now inactive, new domains are regularly added. Group-IB has noted that this is by design: the domains are intended to only be active for short periods of time, which complicates detection and takedown.