Email stealing identity of Santander Bank


The UNAM-CERT received a notification which reported on a possible identity theft campaign. The threat arrives by email as a warning of possible fraud in telcel payment.




As you can see the fraudulent site is similar to legitimate bank site, however include in the address bar is not for the original site.





By placing "false" data we can see a screen that asks us to fill a form, there are fields that are being requested. A legitimate bank would not ask by any means, whether by phone, mail or his website.
No service, under any circumstances, would request the security code or PIN of our card, this is a clear sign that it is a dangerous place.







In this picture we can see how the user is informed that his account has been unlocked. This is used by the attackers so that the user does not notice and alert the legitimate bank on a card lock possible.






Within the registration form, we can see how it is processed by another file, PHP page (PHP pages are only interpreted by the server and not from client) so we can not see the management of those processing variables.



It is recommended not to access banking sites through links that arrive by email.