SMS Phishing Campaign Targets Brazilian Bank Customers

Renato Marinho, the Director of Research of a Brazilian security company called Morphus, identified a new phishing campaign in Brazil that targets bank customers via SMS messages.

Some bank customers in Brazil started getting SMS messages asking them to update their registration details through the given URL. Failure to do so would result in the blocking of the customers’ accounts, the message warned.

Once someone clicked on the link, a page would appear where they could enter their CPF (Brazil’s equivalent to a Social Security number) and a password. To ensure that people type their information correctly, the attackers wrote rules into their code that would only accept the correct CPF format. As a side effect, this validation process also served to increase the credibility of the page and the message itself.

Afterward, the next page asked users to authorize their devices with a PIN and then upload a picture of their analog token card, which contains all the second-factor authentication codes, as seen in the image below.

Once someone finalizes the whole process, the attackers will have access to all the login details they need to start making fraudulent transactions on the bank customers’ behalf. The customers are then also forwarded to their banks’ real login pages, which may leave some of them puzzled, as they had already entered their login details on the fake web pages.


Phishing attacks are not new, and although the ultimate responsibility lies with the users to verify that the messages they received actually come from their banks, in the real world not everyone ends up doing that. This is why it’s important for banks to use systems and tools that are resilient to such attacks by design.

In this case, the bank or banks in question also seem at least partly responsible for the attacks’ effectiveness because they gave their customers hardcoded two-factor authentication codes inscripted on their analog token cards. If the banks had delivered digital token devices with codes that disappear in 30 seconds, as other, more modern banks have done, the attackers wouldn’t have been able to exploit the system so easily via phishing techniques.