The crooks behind the scheme have set up a series of spoofed pages mimicking the bank's legitimate mobile online banking login site, and have event thought to use a similar URL (minus the HTTPS).
The first page asks for users' ID and password, the second one for their e-mail address and password, and the last one for a scanned image file of their government-issued ID (click on the screenshot to enlarge it):
Having provided all that, the victims are finally taken to a last, dead website, and by now they should be aware that they have just handed over some extremely sensitive information to unsavory individuals.
"This is an unprecedented level of phishing here, as not only does the cybercriminal get access to the victim’s bank account and email account, but they also get the victim’s identification card – which could be used for all sorts of scams and fraud involving identity theft," the researchers point out, adding that the copies of victims’ identification documents - IDs, passports, visas, etc. - are regularly sold on underground Russian forums.
They haven't said it, but my bet is that the links leading to the initial phishing page have been included in spam emails pretending to come from the bank, asking victims to "verify" their account or threatening its closure due some imaginary transgression or hack.
As the number of bank customers accessing their online banking accounts via their mobile phones or apps continually rises, we are sure to see similar attacks even more frequently, targeting customers of a variety of banks, financial institutions and services used around the world.
"Users should verify first with the institutions involved (such as their bank) whenever encountering strange and unexpected procedures in their transactions," the researchers advise, adding that bookmarking frequently-visited websites is also a great idea, as it "eliminates the chance of being routed to a phishing website through typographical errors in the URL bar."
Finally, a mobile security solution capable of spotting and blocking phishing websites can also come in handy.