We recently found an interesting phishing kit on a compromised website that has QR code capabilities, as well as the ability to monitor the phishing page in real time. What our investigation revealed was that the attackers were using PIX, a new payment method created by the Brazilian Central Bank.
Features and context for PIX
PIX was created and introduced to replace old and obsolete Brazilian transfer methods TED and DOC. New features in PIX have made transactions much cheaper and faster, allowing transfers to be made any time of the day, including weekends – a feature not available in the old deprecated methods.
Marketed as simpler and faster than TED or DOC, PIX allows Brazilian users to pay for items by scanning a QR code. It also includes lower processing rates for merchants compared to traditional payment card methods.
Pay with PIX, one of the following must be provided: scan recipient’s QR code or know the person key, who can be their phone number, social Security number, E-mail or one random key.
Phishing Kit Details
The phishing kit targets Banco Itau Empresas customers (companies) who use Itaú Internet Banking.
This is important because it comes with increased security requirements such as:
- Download the application in the case of Itaú App on the computer Where Guard 30 hours
- Unlock / activate the app and Itoken Itau
- Register a six to eight digit electronic password to be used both when access application, website or the Itaú customer service phones
When targeting these types of accounts, the biggest hurdle for the attacker is that a special app must be installed and authenticated before logging in.
So how does the attacker convince the victim to enter their bank account information outside of the Guard 30 hours special security application?
To convince the victim, the attacker uses a fake diagnostic page that claims to check if the victim has the Itau application installed for secure access to their bank account. He then alerts the victim that his Itau application is obsolete and should be updated to the latest version.
Once the victim clicks on blue Update button, they are redirected to a second page designed to mimic the legitimate bank login page.
Real-time attacker control capabilities
The most notable part of this phishing kit is that it grants the attacker real-time control over the actions of the phishing page. This is accomplished by PHP sessions – whenever the victim is on the page, requests are submitted every five seconds.
Naturally, there will be some time between entering sensitive data and the phishing page receiving its next action. To provide a less suspicious experience, the phishing page shows that the bank’s standardized uploading GIF image appears as if it is uploading something – in reality, it is just waiting for the attacker to tell the phishing page what it is. he must charge.
This is also reflected on the attacker’s phishing panel. The text AGUARDANDO (translates to “waiting for”) is displayed next to the victim’s IP address whenever the fake “carregando” loading screen is displayed on their browser:
Phishing behavior: login credentials
I have included a split screen GIF below to demonstrate the behavior and experience of both the victim and the attacker.
On the left browser, I am acting as the victim on the phishing page. On the right you can see the attacker’s point of view.
As seen in this GIF, the victim first grabs his Banco Itau connection data (agency and conta corrente), which are two separate numbers located on their bank payment card.
Afterwards, the fake “carregando“The loading page is shown to the victim – but, on the attacker’s side, they can now see the victim’s login entries agency and conta corrente. They then ask the phishing page to ask the victim for the Senha Electronics (electronic password).
Phishing behavior: passwords and QR codes
the Senha Electronics (electronic password) is a six-digit PIN-type password that allows access, request and authentication of transactions for Itau Electronic channels (internet, mobile and telephone). In addition to this password, the kit allows the attacker to request other sensitive information including phone number, iToken, the owner’s name – as well as a QR Code.
Unfortunately, the file responsible for generating the QR Code – qrcode.php – had already been deleted, so we could not reproduce it entirely, but Itau’s The support page provides more context on its purpose:
I already have iToken on my mobile phone and want to unlock the Itaú app on my computer. How do I do that?
First, download the Itaú Empresas app on your computer and choose the app on your phone as the way to unlock it. Then click on “generate a QRCode”.
Now open the app on your phone and, without accessing your account, click on the “iToken” icon. Then go to the QRCode tab and point the phone’s camera at the code that has been generated on the computer. Your phone will display a six-digit code. Now just type these numbers into the computer and confirm. Ready! You can now use the application on your computer.
This feature essentially allows the attacker to use stolen credentials to request a QR code from Itau. Once the QR code is obtained, they can send it to the victim via the phishing kit for them to scan with their phone. Itau application. This generates a code that the victim types and sends to the attacker, who can then type it on Itau’s legitimate website as if it were the owner of the account.
Phishing Panel Features
The attacker’s phishing panel contains all the options necessary to carry out this phishing attack, categorizing the stolen data by IP addresses.
The attacker has the option of allowing or blocking IP addresses, as well as submitting commands to the phishing page of selected victims via HTML buttons. For example, the Apelido button is used to request the victim’s nickname. the Inicio The button starts / resets the victim’s PHP session. If this button is not activated by the attacker, the victim will stick to the last action taken on the phishing page, even if they refresh it.
An HTML page reveals payment requests
In addition to the phishing kit, we have also located a file named pagmentos.html which contained interesting information.
When in a hurry, the PagSeguro the button loads a new tab with a shortened url pag.ae (not a malicious website) used to send invoices to request payment from others. This invoice requires payment of Brazilian $ 14,997.72 for online consulting and marketing services, approximately $$ 2,830.08 at the time of writing.
I don’t know if the attacker tricks the phishing victim into paying this bill or if they log into the victim’s bank account and pay that way. There was no code referencing this file, so it’s hard to say exactly how it was exploited.
What is certain, however, is that these types of phishing campaigns can have serious consequences for victims and website owners. Phishing is generally difficult to detect because malicious pages are often hidden deep in file directories. Unless you identify the exact URL of the malicious page, it can be difficult to determine if your site has been hacked.
One trick to detecting malicious behavior is to use Google Search Console, which can notify you about phishing and other security issues. File integrity monitoring and server-side scanners can also help identify any indicators of compromise in your website environment.
If you think your website is hosting malicious content or phishing pages and you need a helping hand with the infection, we can help.