Heimdal encountered a live phishing campaign that seems to aim at Romanian telecom customers in particular. The phishing campaign bears similarities to a previous smishing campaign aimed at Romanian National Post customers.
Diving into details
The phishing scheme consists of SMS messages that contain TinyURLs, redirecting victims to a counterfeit version of the Posta Romana payment page.
The fraudulent page requests the victims to submit their credit card information to cover a tax related to changing a delivery address.
Multiple tests were conducted on the copied webpage, and the findings were inconsistent.
In the initial trial, after providing the requested information, the page would display a 403 error message.
On the second attempt, the page redirected to a blank page that did not show any signs of being linked to the official website.
Checks to be made
The entire attack quality highlights that it is an entry-level threat actor. The phishing page lacks form validation, enabling the submission of empty user information forms, while the credit card page has some field verification. The copied website only includes a functioning main page, not the entire original site. The JavaScript added by the attacker is not obfuscated and contains console.log lines.
The bottom line
Learning how to guard yourself against phishing and smishing attacks is the only way to go. Heimdal recommends avoiding opening suspicious emails or links, using order tracking features wherever available, and if you have a Posta Romana account, you can always log in and check the status of your order.