If you suddenly receive an Instagram DM from an account claiming to be CS bank and informing you that you won the lottery from the bank in question, the first thing that most likely comes to your mind should be suspicion and you become wary.
What's the reason? First, because you are not necessarily a customer of the bank and second, even though you are a customer of the bank, you are not participating in the lottery.
So there are two factors to be met for the success of this sweepstakes phishing scam:
The victim is a customer of the bank concerned
The victim is currently participating in the lottery at the bank.
So, no matter how sophisticated social engineering and phishing are prepared, this must also be aimed at the right victims at the right time.
It's a different story if the victim is a customer of the bank concerned and is participating in the lottery at the bank. The victim will have a soft spot where he hopes to win and when he gets information that he won the lottery, the excitement of winning the lottery masks his awareness of the fraud that is happening. (see figure 1).
Figure 1. Fraudsters who fake CS from one of the banks DM their victims via Instagram.
Especially if the account that did the DM puts the forged bank logo on the profile picture of the account, which is easily done with the copy and paste technique.
Of course the question is, how can fraudsters get the victim's contact, because if this fraud is carried out randomly, finding customers from certain banks who use Instagram alone is very difficult, let alone finding certain bank customers who are participating in the lottery.
It's like looking for a needle in a haystack. However, apparently, this was unknowingly facilitated by the lottery operator, where the lottery participants at the bank were asked to mention the bank lottery post.
It's like the bank provides a complete fraud target database to fraudsters and everything is left to be seen in the comments column on the sweepstakes post.
Furthermore, if the victim is indeed deceived and follows the link given in image 1 above, he will be connected to the Whatsapp number that has been prepared by the fraudster as in image 3 below. Again, the faked bank logo was used as a profile picture on the WhatsApp business account used.
Gb 3. Whatsapp number with faked bank profile picture.
As a lottery participant contacted by the admin, of course you immediately want to know if you won the lottery. And this has been prepared in such a way by fraudsters with fraudulent sites that have been prepared.
Victims are directed via Whatsapp to click on the URL shortener link that has been prepared and directed to the site that has been prepared and get confirmation of winning the lottery and is immediately directed to the fake bank phishing site that has been prepared.
The purpose of fraudsters directing their victims to phishing sites is to find out the credentials of mobile banking users. According to Vaccicom's search, the site is hosted on zyrosite.com with an address disguised as if it were from the bank in question. At the time this article was published, the bit.ly link was deactivated and the site was closed by zyro.
Fraudsters get mobile banking credentials from a phishing site that has been prepared on zyro where when the victim logs in to a site that they think is the bank's site, that's when the fraudster's credentials are stolen.
The next crucial step is to obtain or change the PIN to authorize the theft of the victim's account funds, and this requires an OTP which is only sent to the account holder's phone number via SMS. Once you get the OTP, the OTP will be immediately used to replace the mobile banking PIN with a new one and then used by fraudsters to carry out the action of draining the victim's account.
Then the funds are tried to be laundered by sending them to several digital wallet accounts and then the funds from the digital wallet are sent back to another account to withdraw funds.
Lessons to be learned
From the experience above, as an internet banking and mobile banking user, you have to be careful with several things, such as:
Don't easily believe profile pictures on Whatsapp, Instagram, Facebook or other social media platforms because they are easy to fake, just copy and paste.
Do not easily share your activities, this will become a target for criminals who want to exploit your weaknesses.
Learn in detail the address of the digital bank website and application that you are using. Do not enter login and OTP information until you are sure the apps and sites you are using are genuine.
Never give the OTP code for any reason even if it is requested by a party claiming to be from the authorities, Customer Service or anyone else. The OTP is your own secret and is only entered on sites that you believe are legitimate. Misuse of OTP due to your fault is the responsibility of the account holder.
