Today I faced quite an unusual SMS phishing campaign here in Brazil. A friend of mine received a SMS message supposedly sent from his bank asking him to update his registration data through the given URL. Otherwise, he could have his account blocked, as seen in Figure 1.
Figure 1 SMS message received
Telling you the truth, my friend doesnt have any account on the informed bank and, even so, we know that those kinds of message are hardly ever sent by banks and are, most of the time, related to malware propagation and information stealing. However, instead of discarding the message, we decided to give it a try and the results, as you are going to read in this diary, surprised us. This campaign involves no malware propagation – just creativity in favor of evil.
SMS Phishing analysis
The link in the message aims to take the victim to a fake and very simplistic mobile version of a well-known bank website. First, it asks for the CPF (a kind of social security card number) and a password, as seen in Figure 2.
Figure 2 Fake bank website asking for CPF and password
It is interesting noting that there is a data input validation. The user must obey to the CPF number composition rules otherwise he can width:580px” />
Figure 3 CPF validation rules
This kind of validation is certainly used to give a bit of legitimacy to the fake website and, perhaps, to do not overload crooks with much data-mining work.
In the next page, the fake website informs that the device used on that connection needs to be authorized, as seen in Figure 4.
Figure 4 Fake website: user must authorize the device
By clinking on Habilitar Aparelho which means enable device, a new page is shown asking for the victim to inform the 4-digit password, as seen in Figure 5.
Figure 5 Fake website asking for the 4-digit password
Again, there is a minimum validation to avoid the user trying very simple passwords like 1234 width:580px” />
Figure 6 4-digit password validation width:280px” />
Figure 7 Asking for the token card picture
By clicking on Finalizar Habilitao which means proceed with the device authorization, the victims smartphone will prompt the user to select a picture from its library or take a new one width:280px” />
Figure 8 Taking the token card picture
Once the victim ends up the whole process, including the token card picture, the criminals will have all the information needed to make fraudulent transactions on the compromised bank account and the user is forwarded to the real bank login page.
Using victims smartphone to take pictures to steal information or, who knows,things, scares me a little bit. I can explain. Earlier this month, reading Bruce Schneiers blog I saw a post entitled Now Its Easier than Ever to Steal Someones Keys  which says, The website key.me will make a duplicate key from a digital photo..
While writing this diary, I was reported about similar SMS Phishing campaigns targeting other banks costumers here in Brazil. Stay tuned.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.