Nearly 4,000 IP addresses tied to customers of banks in North America and elsewhere have been targeted in a mobile phishing scam to steal login credentials, researchers said Friday.
Customers at big banks like Chase, the Royal Bank of Canada, and London-based HSBC are among the targets. The hackers are exploiting how accustomed users are to receiving text messages from their banks, said analysts at Lookout, a San Francisco-based security company.
“This appears to be a phishing kit that could be easily acquired or purchased from a third party, allowing even less tech-savvy persons to easily set up and operate their own phishing campaign,” Kristin Del Rosso, security intelligence engineer at Lookout, told CyberScoop.
It is unclear what the hackers are doing with any credentials they managed to steal. Crooks often cash in on pilfered credentials by selling them in underground forums. Lookout said it didn’t know if any money had been stolen from the targeted banks.
Lookout has not identified the perpetrator but has notified all of the victims of the activity.
Whoever is responsible is bombarding bank customers with SMS messages directing them to fake login pages where they are asked to cough up their credentials. The campaign began last June and continued through Jan. 22, with the number of victims spiking in late November and mid-January.
“It is unclear why it stopped but given the victim data exposed, it is likely it will surface again,” Del Rosso said in an email.
The attacker has been prolific: 200 phishing pages are involved in the campaign, Lookout said. They are using an automated SMS tool alongside the phishing kit, allowing them to craft their own messages and send them to as many phone numbers as they want.
CyberScoop is requesting comment from all of the banks named in the Lookout blog.