Reactivation of the digital signature… Phishing against Brazilian Bank

A few days ago, we received an email directed to customers of the bank Santander, in which users were notified that their Electronic Signature had expired and it could only be reactivated through the links contained therein. To make the message even more alarming, it is mentioned that if you do not activate it, the bank will charge you for sending a new Signature.


After clicking on any of the links, the phishing site of the bank opened.

The real Brazilian Santader website looked like the one on the image below.



To “reactivate” the signature, the client must write the CPF (Cadastro de Pessoas Física), Portuguese for Natural Persons Register, but the website displayed a message that indicated the user must first write information about the bank agency and account number.


Fake data were used to probe whether the information was captured or stored by the website and, during the whole process, the user was asked for confidential data that were processed by php scripts.

The first step was to proportionate valid agency and account numbers. The site displayed warnings when they were incorrect:


Subsequently it asked for a username and an Internet password.


When the information was validated correctly, a site where the user could activate an “Online Security Card” was displayed.




The process continued with the validation of an ID number, generated from a matrix of 50 codes.


After providing a "valid" ID number, the site “processed” the information and then showed two messages:


The first mentioned that a message would be sent via SMS.


The second message was displayed after clicking on the button “RECEBI”:


The process ended after clicking on the button “Avancar” and the user’s information was handled by a script called validar159952.php.


Because of this kind of elaborated attacks, the user must be suspicious enough to avoid the theft of his/her information. It is recommended that, when in doubt, the affected user gets in touch with the financial institution to clarify everything related to such emails.