The first contact with and even though it was prepared with more care than the campaigns that normally circulate on the internet, it is still possible to see discrepant points and errors in Portuguese. The criminals bring a feeling of urgency to the victims, informing them that the access password will be suspended due to the non-updating of registration data and that, if the password is effectively blocked, sending a new password by mail will generate an alleged cost of .22 for the victims. So that such an inconvenience does not occur, criminals indicate the link to “update” the data and even leave a footnote stating that the online procedure is free and that the message was verified by two security mechanisms aiming to increase the credibility of the whole the process.
The discrepancies continue when we stop to observe the link provided in the message, which tries to simulate the Bank's website, but such a domain does not even exist. Hovering the mouse over the alleged address displayed in the message, it is possible executive list to observe that . Despite the fact that the domain, to which the victims are directed, has been active for over 150 days, its content appears to be just a “front”, as there are only images and opening hours of two stores that do not even have an address or means of contact. contact. Analyzing the link suggested by phishing, it is possible to observe that redirects are executed before the request reaches the malicious site, where the campaign is actually hosted.
We are directed to a website with a single warning message stating that the environment being accessed is secure. As soon as the victim clicks on the “Ok” button, the malicious site is in Full Screen mode , preventing its real address from being displayed, this action clearly aims to bring more credibility to the attack, since the structure of the site faithfully copies the page original from the bank. The first “update” data requested by criminals is the CPF and card password. After filling in the data, the victim is directed to a page similar to the internet banking access of the banking institution in which his web password is requested.