Phishing Lab | Banking scams: one mail, a gold mine

RedSocks Security’ new series brings you into a 24-hour investigation of phishing campaigns. This week, analysts from RedSocks Security have observed many banking scams. We have analyzed and researched these campaigns. Take a dive with us into the world of online banking fraud.


Investigation timeframe: Tuesday, September 14th2pm – Wednesday, September 19th10am

During this timeframe, 200 proven valid campaigns have been analyzed, 80% of them being related to bank scams, making it the main trend of this lab.



The banking threat landscape

Banks have a long history of being criminals’ top target. Not only do they hold traditional gold, a.k.a. money, they also keep many valuable customer data, from names, addresses to Social Security Numbers and banking information.

The threat landscape faced by financial institutions is rather large and so is the attack surface. If criminals opt for a human entry point, two options open to them: employees or customers. Insiders will allow them to gain access to the system, while the latter will allow them to gain access to personal information and perform transactions. Therefore, phishing has been a cost-effective way for threat actors to either acquire personal data, money or deliver malware.

Major banking malware include, for example, Dark Tequila, Cabarnak, Dridex banking trojan.

The level of threat faced by banks is emphasized by the need of customer trust ruling the industry.



Our analysis


  • The targets

Banks from all over the world are currently facing, valid online scams. RedSocks Security analysts have noticed the following: Itau (Brazil), Itau Empresa (Brazil), CIBC (Canada) National Bank (Canda), Desjardins (Canada), La Banque Postale (France), Sparkasse (Germany), ABSA (South Africa), Santander (Spain), Chase (USA), Western Union (USA), American Express and Paypal (worldwide).


  • The URLs

Different trends have been spotted.

  1. Random URL:


This type of URL is supposedly less effective as an aware user might detect the scam.

  1. Potentially compromised websites


The URL let us guess the legitimate website might have been compromised to host a malicious page.

  1. URLs similar to the legitimate website


These URLs are easily detectable as malicious, however the fact is contains key words such as the name of the target company and/or basic page names such as “home”, “customer services” or “security center” might trick the user who will recognize familiar and trusted items.


  • The location 

The key trend noticed today is the fact most of the actors seem to target a different country than the one they are proceeding from.

Most of the locations spotted were Russia, Netherlands, USA and Mali.


  • The motives

The observations indicate the actors are looking for a large range of personal and payment data such as

  1. ID, passwords, PIN
  2. Social Security Numbers
  3. Address
  4. Card number, expiration date and CCV
  5. Security questions


phishing banking

These information collected could allow scammers to proceed to payments, cash out, get a complete ID package and personal information. Indeed, most environments use the same security questions. Getting the answer can allow an attacker to easily hijack a profile or intrude a network.

Some campaigns seem to only require a new policy agreement or a captcha click; the motive in this case could be the simple delivery of a malware.


  • The execution

RedSocks Security labs have indexed different levels of quality of execution. The choice of URL, mentioned above is one of them. Regarding the design, if some pages were roughly simple, some of the web pages were extremely close to the legitimate environments. See picture below.


Phishing site



 Most of the pages with an above average quality integrates privacy and security items.



A word of psychology

The study of decision-making and trust has proven how rationally and fast the human brain tries to proceed. Therefore, the decision relies on some familiar and trusted elements. In a random environment, a user will unconsciously look for familiar details, rather than look for mistakes or warnings, which makes the success of these cheap and easy-to-build phishing campaigns.



The investigation processed today shows how easy it seems for malicious actor to operate on such a large attack surface, populated by relatively gullible users. Once again, it proves the redundancy and cost-effectiveness of such attacks on the purpose of different motives, wether it is to gain access to internal environment, gain money or personal information.

Looking forward to our next 24-hour investigation?

Follow us on Social Media!

Back to overview