By Harsh Patel and Brandon Cook, Cofense Phishing Defense Center
In an era where online convenience has become the norm, the risk of identity theft through scam websites has surged. The potential for exploitation grows as more services transition to conducting business online. These sites pose a significant risk to personal security and undermine public trust in the digital infrastructure we have in place. A recent threat observed by the Cofense Phishing Defense Center aims to steal an individual’s identity by having them upload screenshots of various government identification documents and turn on their camera for facial recognition. Phishing attempts such as these pose significant risks to the individual and can have far-reaching effects on organizations or the people around them.
Figure 1: Email Body
In Figure 1 above, the user receives an email stating they need to verify their identity to continue using their account. Loss of features or access to services is a popular way to lure users into submitting information. Creating a sense of urgency, the email prompts recipients to click on the links and provide personal information under the guise of protecting their accounts. They may state that failure to verify identity within a specific timeframe could result in restricted access or account suspension/deletion. This tactic is designed to manipulate users into clicking on the link, often without taking a second to fully consider the legitimacy of the request.
Figure 2: CAPTCHA Page
Upon clicking the malicious link, the user is presented with a website [Figure 2] that is disguised as a CAPTCHA verification asking them to "select the images with cars to prove you are a human." At first glance, this might seem like a legitimate security check. This CAPTCHA-style page is less common, making it an interesting and deceptive tactic. CAPTCHA challenges are often used by legitimate sites to enhance security, so many users might drop their guard here, not realizing they are engaging with a malicious site. Additionally, the reassuring text at the bottom ("No need to fear—this is safe and secure") feels out of place and overly reassuring, which should raise some suspicion.
Figure 3: Country and Document Type
After moving past the CAPTCHA page, the user is redirected to a website that asks them to "verify your identity" [Figure 3]. This page prompts the user to select the country where their ID was issued and the type of document they plan to upload, such as a passport, driver’s license, or national ID. There are several indicators that this page is not legitimate. First, the URL is a major red flag. The domain (agrosolosap[.]com[.]br) is completely unrelated to identity verification or any official government or corporate service. Legitimate verification pages typically use trusted domains associated with financial institutions or government agencies. Additionally, the text is vague and lacks specific details about why the verification is needed, which further raises suspicion. Real identity verification systems are usually accompanied by clear explanations of their purpose and what users should expect.
Figure 4: Government ID Upload
Upon selecting a country and document type, the user encounters a page that once again asks them to "verify your identity," however, this time, it requests the user to upload a photo of their chosen ID type. The page prompts the user to select and upload the front side of their ID in one of several file formats. The design remains as simplistic as the previous pages, with a simple icon representing an ID and a button for file upload. Additionally, there is a lock icon at the bottom accompanied by text claiming that "Your data is processed securely," further attempting to convince the user that this is a safe and legitimate request.
Figure 5: Facial Recognition
On the final page of this harvesting attack, the user is met with a request for a "Selfie check," instructing them to "position their face in the circle." This step mimics biometric verification processes, which are becoming more common for identity verification. At the bottom of the page, there is a "Start Recording" button, suggesting that the user is about to engage in a live recording session to capture their facial image for verification. This tactic is highly unusual and not as common as more traditional scam attempts. The inclusion of a “Selfie check” and live video recording element is a more sophisticated tactic that takes advantage of users’ increasing familiarity with biometric verification systems. With the widespread use of biometric technologies like the iPhone's Face ID, the potential for copying or spoofing biometric data through malicious websites raises even greater concerns. AI technology magnifies the threat of facial data theft by providing criminals with advanced tools to manipulate and exploit stolen information.
The increasing sophistication of malicious websites that phish for government IDs and mimic facial verification poses a serious challenge to data privacy. These attacks undermine trust in digital verification processes and put millions of users at risk of identity theft. Recognizing red flags in emails, such as generic greetings, suspicious links, or grammatical errors, can help prevent identity theft and safeguard personal information in an increasingly digital world. To effectively mitigate the impact of such schemes, a combination of enhanced cybersecurity protocols, public education, and regulatory efforts is necessary to protect personal data.
Indicators of Compromise | IP |
hXXps://linktr[.]ee/verfyd | 151[.]101[.]130[.]133 151[.]101[.]194[.]133 151[.]101[.]2[.]133 151[.]101[.]66[.]133 |
hXXps://ingress[.]linktr[.]ee/uLZfGRmpj7 | 146[.]75[.]38[.]133 |
hXXps://cier[.]ge/ | 208[.]109[.]232[.]214 |
hxxps://agrosolosap[.]com[.]br/wp-includes/pomo/home/ | 108[.]179[.]253[.]64 |
All third-party trademarks referenced by Cofense, whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.