Protect your money: How to stop bank credential phishing

Online banking is the norm today. Checking your balance and paying a bill online only takes a few clicks or taps. Your bank probably offers an app to make things even easier. But the technology designed to make your life easier also makes it easier for hackers. A new attack strategy is targeting banking apps and tricking you into handing over your login. It’s a variation of an attack called credential phishing. 

What is credential phishing? It’s a collection of techniques attackers use to steal users’ access credentials to sensitive sites and apps.

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Book a Demo

If hackers can get their hands on your credentials, they have multiple ways of turning them into money: 

• Use your credentials to access your bank and transfer funds into an account they can access. 

• Sell your credentials to another attacker who may try doing the same thing. 

• Put them in a database of stolen access credentials. They then sell these to attackers who use them to execute brute force attacks, which involve guessing usernames and passwords until they get it right. 

Sometimes, attackers use Android update scams or iOS update scams to phish for users’ credentials, knowing it’s best practice for unsuspecting users to install updates regularly. This article will break down a recent FBI warning about the latest threats connected to credential phishing. 

In this episode of Hacker Headlines, Keatron Evans, VP of Portfolio Product and AI Strategy for Infosec, breaks down how hackers exploit progressive web apps to target users. 

How does credential phishing work? 

Picture this: You get a text message saying that your banking app is outdated, and you need to install a new version. You know that updating your software is important for security, so you download it. And that’s where the trouble begins. 

When you enter your credentials into the new app, you hand-deliver your banking information to a hacker. 

But how did they manage to get a malicious app onto your smartphone? After all, your phone has options to disallow third-party app installation. So, a random app from a random hacker should have been blocked. The trick here lies in the different types of apps. 

The role of PWAs in credential phishing 

Hackers are exploiting a type of app called a progressive web application (PWA). A PWA is an app built with web technologies like JavaScript. It’s essentially a website that’s bundled like an app. However, your banking app is likely a native app. That’s an app built in a specific language for a specific platform. For example, someone building an app for iOS may use Swift, which is a coding language intended for that platform. 

PWAs have their uses. They’re easier to code than native apps, making services available to people who may not otherwise have the latest smartphones. Giant sites like Uber, Pinterest and others offer PWA versions of their apps. Hackers can easily build PWAs that look like your real banking app. 

How attackers build PWAs 

Building a PWA is very straightforward, especially if the attacker uses AI. For example, they can prompt an AI-powered web app builder to “build a web app that looks like Fidelity’s website.” They can also upload a screenshot of the site they want to emulate. The app builder can either build the app for them or give them the code they need to copy and paste into a code editor, like VS Code or something similar. 

The attacker then only has to adjust the code until their fake web app looks exactly like the one they’re trying to copy. Next, they can use an online PWA creation service to transform the code into a full PWA. 

Some even buy ad space and create phony versions of banking sites, which prompt you to download their fake updates. And then that app steals your banking information. Fortunately, this attack is limited in scope so far. Also, there are things you can do to keep yourself safe. 

How to protect yourself money from credential phishing 

It’s relatively easy to avoid credential phishing attacks if you know what to look out for and what not to do. 

Avoid updating through a web browser or text message 

First, never click on update notifications from your web browser or text. It could be an attacker turning your app into a trap. If an app needs to update, the app itself will inform you of that.  

For instance, some apps won’t let you run them until you install an update. Zoom, for instance, forces you to update your app before accessing their services, if necessary. Some apps prompt you for an update right after you log in, making it optional.  

Avoid files from untrusted sources 

Second, be on the lookout for warning messages. Never install any file that’s labeled as being from an untrusted source. When you see a warning that indicates you may be accessing a file from an untrusted source, a few things may be happening: 

• The site has an expired SSL/TLS certificate. This certificate ensures a secure information transaction between your browser and the website you’re connecting to. An expired certificate doesn’t protect your sensitive information. 

• The certificate is invalid, self-signed or issued by an untrusted certificate authority (CA). A trusted certificate authority only issues a certificate after thoroughly researching the recipient and verifying the legitimacy of their organization. An invalid or self-signed certificate could be fake. And an expired one may have been stolen and sold to a hacker. 

• The domain doesn’t match your intended destination. For instance, a hacker may be sending your web request to FidelityInvestmentServices.com, which would be a fake domain, instead of routing your request to the real site: Fidelity.com. 

Only use official app stores 

Third, always use official app stores. Don’t trust downloads from Facebook ads, SMS messages, or any other social media. The links embedded in these ads could lead to a fake site designed to steal your credentials. 

It’s also possible for an attacker to make a button you click perform multiple functions. For example, it may direct you to the company’s official website — and maybe even a page where you can download the latest version of its app. But it may also install a key logger onto your device. A keylogger records your keystrokes, and hackers use them to determine the usernames and passwords you enter while accessing sensitive accounts. 

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Download Now

Teach employees how to avoid credential theft 

Hackers are always finding new ways to steal our money and account information. But by teaching your employees what credential theft looks like and how to avoid it, you can protect both their personal accounts and those of your business. Even though hackers have a variety of tricks and schemes, we’re here to help you stay a step ahead.  

Check out our Hacker Headline series to get the latest cybersecurity intel and protection techniques, and speak to someone at Infosec if you need additional security awareness training resources.