Cyber-security researchers on Tuesday said that threat actor using fake Twitter accounts are impersonating banking entities to steal victims’ personal and payment information via Zoho Forms, a free online form builder from Zoho Corporation.

The threat intelligence team of AI-driven Singapore-headquartered CloudSEK discovered this phishing email campaign.

In this new campaign, said the researchers, the threat actors are misusing Zoho Forms to steal information from banking customers.

Whenever a customer tags the official banking customer care handle in a tweet, the fraudster pretends to assist them by providing a fake customer care number and an external shortened link that redirects to a Zoho Form service.

“The threat actor sets up a fake social media account (in this case, a Twitter account) with the brand logo as the profile picture. The fake account has a display name and username similar to the real account,” according to security researchers.

Using these accounts, the threat actor comments on the Twitter posts of the banking customers seeking assistance or raising issues.

Buy Me A Coffee

The threat actor provides the customer with a fake customer care number and a shortened URL.

“The URL redirects the customer to a Zoho Form page which asks the user to input the following details: First and Last Name, Credit/Debit Card Number, Expiry Date, CVV, Available Balance,” the team noted.

Once submitted, the Personal Identifiable Information (PII) details are forwarded to the threat actor.

“We started investigating the mobile number used for contacting bank customers. Open-Source Intelligence (OSINT) performed on the number revealed that the number was also linked to a fake electricity bill payment scam. Several victims on different forums have flagged the same number,” said a CloudSEK researcher.

Meta, Match Group, Coinbase, Others Team Up to Prevent, Disrupt Financial Scams

The researchers highlighted that threat actors could use the collected PII to launch successful social engineering attacks against the victim. Threat actors will gain sensitive banking information, which may lead to financial loss.

To stay safe from such attacks, it is advised to identify and report domains impersonating brand names and trademarks. Bank customers should always double-check the URL or Twitter handle, said the researchers.