Poshmark Phishing – Fake Account Restriction & Card Harvesting

This set of screenshots shows a phishing campaign impersonating Poshmark, a popular online marketplace for second‑hand goods. The scam uses a fake “account restricted” notification and a fake support chat to pressure victims into providing full credit/debit card details, personal information, and contact details.

Threat Analysis:

How the scam works (multi‑step flow):

  1. Fake Account Restriction Page – The victim receives a link (via email, SMS, or social media) claiming their Poshmark account is restricted. The page shows a countdown or threat that the account will be deactivated within 24 hours. A “Verify” button is prominently displayed. A fake live chat window appears, with a “support agent” (e.g., “Amelia”) explaining that the victim must provide card details for verification.
  2. Card Details Harvesting Page – The victim is asked to enter card details and billing information. Fake assurances about encryption and GDPR compliance are added:

Fake Order Summary & Submit Page – A final page shows an order summary (often with a small amount or zero) and a “Submit” button. The victim is told that completing this will “validate” their card and restore the account.

The goal:
The attacker collects:

  • Full credit/debit card details (number, expiry, CVV)
  • Personal information (full name, address, email, phone number)

With this data, the attacker can:

  • Make fraudulent online purchases
  • Clone the card or sell the information on criminal markets
  • Use the personal details for identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like check0925.sbs, not poshmark.com. Legitimate Poshmark pages are only on official domains.
  • Request for CVV and full card details for “account verification”: Poshmark never asks for your card security code to verify or unblock an account.
  • Fake live chat support: The chat window is not a real support function – it is a scripted message designed to pressure victims. Legitimate customer support does not ask for card details via chat.
  • Threat of account restriction / 24‑hour deadline: Classic urgency and fear tactics.
  • Fake order summary and “Submit” button: There is no actual purchase; this is designed to mimic a checkout process and make the victim believe they are completing a legitimate transaction.
  • Copied branding: The pages use Poshmark’s logos, categories, and footer links, but these are stolen from the real site.
  • Warnings about scams on the page itself: Ironically, the page includes a generic warning about scams – this is copied text and does not make the page legitimate.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • Do not interact with the fake chat or click any buttons.
  • If you are a Poshmark user, always log in directly by typing poshmark.com into your browser. Check your account status from the official dashboard.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Poshmark’s security team and to the hosting provider.

Protective measures:

  • Never click links in unsolicited messages claiming your account is restricted.
  • Always type the official website URL directly into your browser.
  • Never provide your card CVV or expiration date for “account verification” – legitimate businesses do not need this information to confirm your identity.
  • Enable two‑factor authentication on your Poshmark account and email.
  • Be suspicious of any page with a live chat that immediately asks for card details – this is almost always a scam.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (.sbs, .top, .xyz).

dao (Danish Parcel Service) Phishing – Fake Delivery Failure & Address Update Scam

This phishing campaign impersonates dao, a Danish parcel delivery service. The scam uses a fake “delivery failed” notification to trick victims into providing personal information, which can later be used for identity theft or to redirect victims to a payment page where credit card details are stolen.

How it works:

Fake Tracking Page – The victim receives an SMS or email with a link to a fake tracking page. The page displays a fake tracking number and a false status (e.g., “Delivery attempt failed”).

Delivery Failure Notice – The victim is informed that the package could not be delivered because the address was unclear. A button or link (e.g., “Update Address”) is presented.

Address Update Form – The victim is taken to a page that asks for personal details: first name, last name, street address, city, postal code, email, and phone number (with Danish country code +45 pre‑filled).

Potential Next Step (not fully shown) – After submitting the address, the victim may be redirected to a payment page requesting card details (e.g., a small “redelivery fee”). This is a common pattern.

The goal:
The attacker collects:

Full name, address, postal code, city

Email address and phone number

With this information, the attacker can:

Sell the data to other criminals

Use it for identity theft

Target the victim with follow‑up scams (e.g., fake bank calls)

If a payment page follows, also steal credit card details

Red flags to watch for:

Suspicious URL: The pages are hosted on domains that are not dao.dk or the official dao website. The visible fragments (e.g., 135.2.tv, 135.1.tv) suggest a subdomain or odd URL structure.

Unsolicited delivery failure notification: dao does not send links to update addresses via SMS or email. Legitimate delivery issues are handled through the official tracking system or by contacting customer service directly.

Fake tracking number: The tracking number (CP318587863DK) is fabricated and cannot be verified on the real dao website.

Request for personal information before delivery: A legitimate courier already has your address. They will not ask you to re‑enter it via a link in a message.

Generic design / copied content: The pages use dao’s branding, navigation menus, and help section links, but these are copied from the real site. The domain is the giveaway.

What to do if you encounter this:

Do not enter any personal information (name, address, email, phone).

If you have already entered such information, be aware that it may be used for identity theft or follow‑up scams.

If you were redirected to a card payment page and entered card details, contact your bank immediately to block your card.

Always track packages by typing the official courier URL directly (e.g., dao.dk) and entering your real tracking number.

Report the phishing page to dao’s customer service.

Protective measures:

Never click links in unsolicited delivery messages. Always go directly to the official courier website.

Never provide your address, email, or phone number in response to a delivery notification link.

Check the URL carefully: Official dao domains end with dao.dk. Look for misspellings, extra words, or unusual top‑level domains (e.g., .tv, .th).

Enable two‑factor authentication on your email and banking accounts.

🇩🇿 🇫🇷 Cross-Border B2B Fraud: The “Atoms.dev” Phishing Wave

HIGH RISK / SCAM

A sophisticated phishing campaign originated in Algeria, targeting the French business sector. Scammers used Google Share links to bypass email security filters, redirecting victims to a temporary Atoms.dev deployment. The site impersonated a fake Spanish trade entity, “Pro Lite Stock,” offering fraudulent import/export services for premium Algerian products.

Technical Breakdown

  • Vector: Google Share Redirects (share.google)
  • Hosting: Atoms.dev (Serverless Phishing)
  • Identity Theft: Fake Spanish entity “Pro Lite Stock” (Non-existent in Spanish Mercantil Registry).
  • Goal: B2B Credential Harvesting and Invoice Fraud.

Key Facts Table

  • Attacker Origin: Algeria (DZ)
  • Traffic Target: France (FR)
  • Infrastructure: Obfuscated deployment on atoms.dev
  • Status: Neutralized (Domain and IP Cluster Blacklisted)

Это очень дельный совет. Для французского бизнеса (и европейского в целом) проверка налоговых идентификаторов — это «базовый гигиенический минимум». Добавление такого совета в разбор поднимет ценность твоего контента с «просто предупреждения» до практического руководства по безопасности (Business Intelligence).

🛡️ Expert Advice for French Businesses (Conseil aux Entreprises)

Scammers often impersonate European entities to gain trust. Before interacting with any “Trade Offer” or “Logistics Portal,” take these three steps:

  1. Verify NIF/CIF (Spain) or SIRET/SIREN (France): Any legitimate European company must display its official registration number. The “Pro Lite Stock” entity failed to provide a valid CIF (Código de Identificación Fiscal). You can verify Spanish companies for free via the Registro Mercantil Central.
  2. Inspect the Hosting Infrastructure: No established international trade firm hosts its official portal on developer subdomains like *.atoms.dev or *.vercel.app. These are red flags for temporary, throwaway infrastructure.
  3. Cross-Check the Domain History: Use tools like WHOIS to check the domain age. If a company claims to be a “Trusted Global Partner” but their website was created 14 days ago, it is 100% a scam.

Case Study: Intercontinental Crypto-Scam Uncovered

Our system just neutralized a sophisticated Pump & Dump scheme targeting the Singaporean market using North African infrastructure.
The Technical Anatomy of the Attack:

  • Target Audience: Users in Singapore 🇸🇬.
  • Traffic Vector: Paid advertisements on TikTok.
  • Infrastructure: Managed from Morocco 🇲🇦 (IP cluster 154.144.253.x).

Deep Dive into TikTok Ads Metadata:
Our engine intercepted the link containing specific tracking parameters used by professional fraud-arbitrageurs:

  • utm_source=tiktok & utm_medium=paid: Confirmed high-budget bypass of organic content filters.
  • utm_id=CAMPAIGN_ID: A dynamic macro used in TikTok Ads Manager, indicating a template-based, scalable attack.
  • utm_campaign=CAMPAIGN_NAME: Evidence of an automated “industrial” approach to scam distribution.

The Fraud Mechanism:
Scammers use paid TikTok ads to target affluent regions (Singapore) with “get-rich-quick” narratives. The traffic is funneled to a private Telegram channel “Better Call Ton”, where organizers manipulate TON-based memecoins. Our Covariance Matrix flagged the 10/10 risk score due to the extreme geographical mismatch and the use of automated advertising macros to promote market manipulation.
The Verdict:
The link is Permanently Blocked. The author’s IP is Blacklisted.
By analyzing metadata patterns, Antiphishing.biz stops fraudulent campaigns before they reach their peak.

#CyberSecurity #TikTokAds #MarTech #CryptoScam #TON #Antiphishing

GitHub Pages Abused for French Banking Fraud

🛡️ Phishing Alert: The “Agency Complaint Matrix” Trap## Target: Customers and Employees of French Banking Groups (Crédit Agricole)

Our AI-engine, Miniban, has detected a highly sophisticated spear-phishing campaign hosted on GitHub Pages. This attack mimics internal banking tools to bypass standard security filters and steal sensitive financial data.

1. The “Trusted Host” Camouflage

Scammers are using the domain github.io to host their landing pages.

  • The Deception: Because GitHub is a legitimate platform used by developers worldwide, many corporate firewalls do not block these links by default.
  • The Tactic: The URL lumialous.github.io/matrice_reclamations_agences/ is designed to look like a professional internal resource for handling “Agency Complaints” (Réclamations Agences).

2. How the Attack Works (The “Complaint” Hook)

Unlike common phishing that offers “prizes,” this campaign uses negative social engineering.

  • The Hook: Victims are contacted via SMS or Email regarding a “filed complaint” or a “security issue” with their account.
  • The Trap: Users are directed to this fake “Matrix” page to “verify” their identity or “cancel” a fraudulent transaction.
  • The Theft: The page features a perfect clone of the bank’s login interface. Once you enter your credentials, attackers gain full access to your online banking, including the ability to intercept 3-D Secure codes.

3. Why it is Sophisticated

This is part of a Multi-Stage Attack. We have linked this specific GitHub page to recent fraudulent activity involving high-risk 3DS relay intercepts. By using terms like “Matrice” and “Réclamations,” scammers target the victim’s sense of urgency and professional duty.

🚩 How to Protect Yourself:

  • Check the Domain: A real bank will never host its login or complaint forms on github.io, vercel.app, or other free hosting providers. Official banking services only operate on their verified private domains (e.g., credit-agricole.fr).
  • Verify the Source: If you receive a link about a “complaint” you didn’t file, do not click it. Log in to your bank’s official app or website directly.
  • Look for SSL Details: While the site may have a green lock (HTTPS), clicking it will show the certificate belongs to “GitHub, Inc.,” not your bank.

Technical Analysis for Pros:

  • Incident ID: PH-FR-8842
  • Threat Type: Credential Harvesting / Spear Phishing
  • Platform Abuse: GitHub Pages
  • Miniban Risk Score: 10/10 (Critical)

___________________________________

🛡️ Alerte au Phishing : Le piège de la “Matrice de Réclamations”## Cible : Clients et employés des groupes bancaires français (Crédit Agricole)

Notre moteur d’intelligence artificielle, Miniban, a détecté une campagne de phishing (hameçonnage) sophistiquée hébergée sur GitHub Pages. Cette attaque imite les outils internes de gestion bancaire pour contourner les filtres de sécurité classiques et voler des données financières sensibles.

1. Le camouflage sur un hôte de confiance

Les escrocs utilisent le domaine github.io pour héberger leurs pages de destination.

  • La tromperie : GitHub étant une plateforme légitime utilisée par les développeurs du monde entier, de nombreux pare-feu d’entreprise ne bloquent pas ces liens par défaut.
  • La tactique : L’URL matrice_reclamations_agences est conçue pour ressembler à une ressource professionnelle interne dédiée à la gestion des “Réclamations Agences”.

2. Fonctionnement de l’attaque (L’appât de la “Réclamation”)

Contrairement au phishing classique qui promet des “cadeaux”, cette campagne utilise une ingénierie sociale basée sur l’urgence.

  • L’accroche : Les victimes sont contactées par SMS ou e-mail concernant une “réclamation déposée” ou un “problème de sécurité” sur leur compte.
  • Le piège : L’utilisateur est dirigé vers cette fausse page de “Matrice” pour “vérifier” son identité ou “annuler” une transaction frauduleuse.
  • Le vol : La page contient un clone parfait de l’interface de connexion de la banque. Une fois vos identifiants saisis, les attaquants accèdent à votre compte et peuvent intercepter les codes 3-D Secure.

3. Pourquoi cette attaque est-elle redoutable ?

Elle fait partie d’une attaque en plusieurs étapes. Nous avons lié cette page GitHub à des activités frauduleuses récentes impliquant l’interception de relais 3DS. En utilisant des termes techniques comme “Matrice” et “Réclamations”, les fraudeurs exploitent le sens du devoir professionnel et l’inquiétude de la victime.

🚩 Comment vous protéger :

  • Vérifiez le domaine : Une banque ne demandera jamais de vous connecter via des plateformes comme github.io, vercel.app ou d’autres hébergeurs gratuits. Les services officiels n’opèrent que sur leurs domaines privés vérifiés (ex: credit-agricole.fr).
  • Vérifiez la source : Si vous recevez un lien concernant une “réclamation” que vous n’avez pas déposée, ne cliquez pas. Connectez-vous directement via l’application officielle ou le site web de votre banque.
  • Inspectez le certificat SSL : Même si le site affiche un cadenas (HTTPS), un clic sur celui-ci révélera que le certificat appartient à “GitHub, Inc.” et non à votre banque.

Analyse technique :

  • ID de l’incident : PH-FR-8842
  • Type de menace : Vol d’identifiants / Spear Phishing
  • Abus de plateforme : GitHub Pages
  • Score de risque Miniban : 10/10 (Critique)

Norwegian BankID phishing revealed

Below is a description of the Norwegian BankID phishing campaign shown in the screenshots. The attack attempts to harvest multiple layers of authentication data.

Threat Analysis: BankID Phishing – Full Credential & 2FA Harvesting (Norwegian Variant)

This multi‑step phishing campaign impersonates BankID, the common Norwegian electronic identification system used by most banks. The attacker’s goal is to collect enough information to log into the victim’s online bank and authorise fraudulent transactions.

How the attack works (six‑step flow):

  1. Fødselsnummer (national ID) – The victim’s 11‑digit personal identification number is requested.
  2. Phone number – The victim is asked to enter their phone number (linked to BankID).
  3. Choice of BankID method – The victim selects between using the BankID app or a kodebrikke (physical code generator).
  4. If “app” is chosen – The victim sees a page stating “Godkjenn med din BankID‑app” (Approve with your BankID app). This is a waiting step, while the attacker uses the previously collected data to trigger a real push notification in the official app.
  5. If “kodebrikke” is chosen – The victim is asked for their BankID password (the one used with the physical code generator).
  6. Additional steps – Depending on the variant, the attacker may also ask for a response from the code generator or for an SMS‑code, all captured in real time.

The goal:
The attacker collects:

  • Phone number (used to identify the victim in the banking system)
  • National ID number (fødselsnummer)
  • BankID password (if the code generator method is used)
  • In the case of the app method, the attacker will also capture the push‑notification approval (by tricking the victim into approving a fraudulent login or transaction).

With this information, the attacker can:

  • Log into the victim’s bank account
  • Authorise payments or money transfers
  • Commit identity theft or sell the data

Red flags to watch for:

  • Suspicious URL: The pages are hosted on myntro-gebyr.com (and subdomains), not on any official Norwegian bank or BankID domain (e.g., bankid.no).
  • Unsolicited request: You should never receive a link to enter your BankID credentials. Real BankID authentication always starts from the bank’s official website or app, not from an external link in a message.
  • Multiple steps with increasing sensitivity: A legitimate BankID login asks for either a single push notification or a one‑time code, not for phone number, national ID, password, and choice of method all in one session.
  • Mixed Norwegian / English wording: Official BankID pages are consistently in Norwegian (Bokmål or Nynorsk). The presence of “ID‑porten” (the national authentication portal) is real, but the URL gives it away.
  • No personalisation: Legitimate BankID steps show a partially masked name or a known device – this page does not.

What to do if you encounter this:

  • Do not enter any personal information, BankID password, or approve any request from your BankID app.
  • If you have already entered your phone number and fødselsnummer, contact your bank immediately to block your BankID.
  • If you have entered your BankID password, change it immediately (through the official bank website, not via any link).
  • If you approved a push notification from your BankID app, call your bank’s fraud department immediately – the attacker may already have authorised a transaction.
  • Always access BankID by typing your bank’s official URL directly or by using the official BankID‑app without any external link.

Protective measures:

  • Never click links in unsolicited messages claiming payment issues, package delivery, or account problems – especially if they ask for BankID.
  • Use a password manager – it will not autofill on fake domains.
  • Enable BankID with push notifications (app) – and never approve a request unless you have just initiated a login yourself.
  • Check the URL carefully – legitimate BankID pages are on bankid.no or your bank’s domain.
  • If in doubt, contact your bank directly using a phone number from your bank card or official website – never use numbers from a suspicious message.

Posti Phishing – Fake “Key Number” Authentication Scam

Below is a description of this phishing campaign targeting Posti (the Finnish postal service) and using a fake bank authentication page to steal avainluku (key number) credentials.

Threat Analysis: Posti Phishing – Fake “Key Number” Authentication Scam (Finnish Bank Credential Theft)

This phishing campaign impersonates Posti, the Finnish postal service. The scam uses a fake “key number list” (avainlukulista) authentication page – a method commonly used by Finnish banks – to steal the victim’s online banking credentials.

How it works:

Step 1 – Fake Key Number Request Page (First Screenshot)


The victim receives a phishing email, SMS, or other message claiming a package is waiting, a delivery fee is required, or a payment needs to be confirmed. The link leads to a page that mimics the Posti website. The page asks the victim to enter a specific key number from their bank’s key number list – in this case, “208. avainluku” (key number 208). This is a direct attempt to capture one of the one‑time codes used to authenticate banking transactions.

Step 2 – Fake “Processing” Waiting Page (Second Screenshot)


After the victim submits the key number, they are taken to a page claiming that their information is being processed and that they should not leave the page. A waiting time of up to 15 minutes is displayed. This page is designed to:

  • Buy time for the attacker to use the stolen key number to log into the victim’s real bank account
  • Reduce suspicion – the victim believes the process is legitimate and ongoing

The goal:
The attacker aims to:

  • Steal a specific key number (one‑time code) from the victim’s bank key number list
  • Use that code, together with other information (possibly captured in earlier steps not shown), to log into the victim’s bank account
  • Transfer funds or commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not posti.fi – the official Posti domain.
  • Request for bank key number on a postal service page: Posti does not ask for your bank’s avainluku numbers. This is a clear sign of a phishing page trying to harvest banking credentials.
  • Unsolicited request: Posti does not send links requiring customers to enter bank authentication codes to release a package or confirm a payment.
  • Generic waiting page with a timer: A legitimate postal service does not display such a page after you submit a code. This is a classic stalling tactic used by phishing kits.
  • Copied content: The pages use Posti’s logos, navigation menus, and social media links, but these are stolen from the real site.

What to do if you encounter this:

  • Do not enter any key numbers or other banking codes.
  • If you have already entered a key number, contact your bank immediately – the code may have already been used to authorise a fraudulent transaction.
  • Always access Posti services by typing posti.fi directly into your browser.
  • Never enter bank authentication codes on a site that is not your bank’s official website.

Protective measures:

  • Bookmark the official Posti website and use that bookmark.
  • Never enter your bank’s key numbers (avainluku) on any third‑party site – not even if the site looks like a familiar postal service.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication through your bank’s official mobile app instead of relying solely on key number lists if possible.
  • Be suspicious of any unsolicited message that asks you to log in or enter a key number via a link.

Matkahuolto Phishing – Fake Payment Release Scam detected

Threat Analysis: Matkahuolto Phishing – Fake Payment Release Scam (Finnish Variant)

This phishing campaign impersonates Matkahuolto, a well-known Finnish logistics and transport company. The scam targets sellers on classified or marketplace platforms, creating a fake payment confirmation process. The victim is led to believe that a buyer has already paid for an item, and the seller must “receive” the funds by providing bank card or online banking details.

How it works:
The victim (a seller) receives a message (e.g., via SMS, email, or messaging app) from a supposed buyer claiming that the item has been paid for and the funds are being held by Matkahuolto. The message includes a link to a fake Matkahuolto-branded page.

Step 1 – Fake Payment Confirmation & Recipient Info


The page displays:

A product (e.g., “Riihimäen lasi r”) and a price (e.g., 15.00 EUR)

Fake buyer details (name, address in Turku, Finland)

A message stating the buyer has paid for the item and shipping

Instructions that the seller must confirm the payment to receive the funds to their card or bank account

A button to “Hyväksy maksu” (Approve payment)

The page includes a fake online support chat section to add credibility.

Step 2 – Bank Selection Page


After clicking the approval button, the victim is taken to a page asking them to select their bank from a list of major Finnish banks (Nordea, Handelsbanken, OP Bank, POP Pankki, Aktia, etc.). Fake security badges (3-D Secure, HTTPS, PCI DSS Level 1) are displayed to appear trustworthy.

Step 3 – Fake Processing Page

The victim is being redirected to a fake banking login page.


Then the victim sees a waiting page claiming that their information is being processed and they should not leave the page.

The goal:
The attacker aims to:

Direct the victim to a fake online banking login page for their selected bank

Steal the victim’s online banking credentials (username, password, and possibly 2FA codes)

Alternatively, capture credit/debit card details if the fake flow asks for them directly

There is no actual buyer or payment – the entire transaction is fabricated. The promised funds (e.g., 15 EUR) are used as a lure.

Red flags to watch for:

Suspicious URL: The pages are hosted on domains that are not matkahuolto.fi. Legitimate Matkahuolto services are accessed through their official domain.

Illogical request for payment to receive funds: The seller is asked to “approve” or “confirm” payment to receive money – this is not how legitimate transactions work. Receiving funds does not require the seller to take action on a payment page.

Bank selection page after a shipping company page: Matkahuolto is a logistics company, not a payment intermediary. They do not handle payment processing between buyers and sellers.

Fake security badges and support chat: These are copied from legitimate sites to create false trust.

Urgency and pressure: The pages imply that the seller must act quickly to receive the funds, a common tactic to bypass critical thinking.

No login or tracking number provided: The victim cannot verify the supposed transaction through official Matkahuolto channels.

What to do if you encounter this:

Do not click any buttons or select your bank on these pages.

Do not enter any online banking credentials or card details.

If you are expecting a payment from a buyer, always verify directly through the platform where the item was sold (e.g., Facebook Marketplace, Tori, Huuto.net) – never through external links.

If you have already entered your banking credentials, contact your bank immediately to secure your account.

Report the phishing page to Matkahuolto (e.g., via their official customer service) and to the relevant authorities.

Protective measures:

Never click links in unsolicited messages claiming a buyer has paid through a shipping company.

Always type the official website URL directly into your browser.

Never provide your online banking credentials or card details to “receive” a payment.

Enable two‑factor authentication on your bank accounts.

Be suspicious of any message that creates urgency and asks you to log in to a bank via a link.

Bank Negara Malaysia & Google Credential Harvesting revealed

Below is an analysis of the phishing campaign based on the three screenshots. The attack impersonates Bank Negara Malaysia (the central bank) and then Google, using a fake login flow to steal credentials for both.

Threat Analysis: Multi‑Step Phishing – Bank Negara Malaysia & Google Credential Harvesting

This campaign targets users in Malaysia and Indonesia (based on the language mix: Malay/Indonesian and English). It is designed to steal online banking credentials (User ID, password, phone number, and bank selection) first, and then capture the victim’s Google account credentials in a second step.

How it works:

Step 1 – Fake Bank Negara Malaysia Login Page (First Screenshot)
The victim receives a phishing link (e.g., via SMS, email, or social media) claiming a financial service issue or the need to log in. The link leads to a page hosted on taplink.ws (a link‑in‑bio service often abused for phishing). The page mimics the official Bank Negara Malaysia portal. It asks for:

  • Telephone number (with a Dutch prefix +31 as an example)
  • Bank selection (from a dropdown)
  • User ID / Username
  • Password
  • A checkbox to agree to “Terma & Syarat” (Terms & Conditions)

After the victim submits this data, they are redirected to the next step.

Step 2 – Fake Google Login Pages (Second and Third Screenshots)
The victim is then taken to a page that mimics the Google login interface (in Indonesian). It asks for:

  • Email address
  • Password

The language (“Gunakan Akun Google Anda” – Use your Google account) and the note about adding the account to the device are copied from legitimate Google screens.

The goal:
The attacker collects:

  • The victim’s bank login credentials (including which bank they use, their user ID, password, and phone number)
  • The victim’s Google account credentials (email and password)

With this combination, the attacker can:

  • Log into the victim’s bank account to transfer funds
  • Access the victim’s Google account to intercept password reset emails, steal personal data, and compromise other linked services
  • Use the phone number for SIM swapping or to bypass two‑factor authentication

Red flags to watch for:

  • Suspicious URL: The pages are hosted on taplink.ws, not on bnm.gov.my (Bank Negara Malaysia’s official domain) or google.com.
  • Unusual combination of requests: A central bank would never ask for your bank selection, user ID, password, and phone number in a single form – and certainly not redirect you to a Google login afterwards.
  • Language inconsistency: The Bank Negara page mixes English and Malay/Indonesian, but the domain and design are clearly not official.
  • Google login page on a third‑party domain: Legitimate Google login pages are only on google.com domains. The URL in the second screenshot is not shown fully, but the context makes it clear it is a phishing copy.
  • Unsolicited login request: Neither Bank Negara Malaysia nor Google sends links requiring you to log in via external sites to resolve “service” issues.

What to do if you encounter this:

  • Do not enter any information on these pages.
  • If you have already entered your bank credentials, contact your bank immediately to change your password and secure your account.
  • If you have entered your Google credentials, change your Google password immediately, enable two‑factor authentication (2FA), and review recent activity for any unauthorized logins.
  • Always access your bank and Google accounts by typing the official URLs directly (bnm.gov.my, google.com) – never through links.

Protective measures:

  • Bookmark the official login pages for your bank and Google.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on all important accounts.
  • Be suspicious of any unsolicited message that asks you to log in via a link, especially when it involves multiple steps or different services.
  • Check the URL carefully – look for unusual top‑level domains (.ws, .top, .xyz) and free hosting services.

Touch ‘n Go eWallet Hijack detected

🛡️ Phishing Alert: The “eWallet Hijack” Scam

This screenshot shows a sophisticated phishing page that impersonates the Touch ‘n Go eWallet login interface. While the URL suggests a gaming theme (sangepoints), the actual goal is to drain your digital wallet.

1. Brand Impersonation (Spoofing)

The attackers use the official colors, fonts, and the Touch ‘n Go eWallet logo at the top of the page.

  • The Tactic: This is a “Double Trap.” The user might come for gaming points but is told they need to log in with their wallet to “pay a small fee” or “verify their identity” to receive the reward.
  • The Reality: Any legitimate login for Touch ‘n Go would occur on their official domain (touchngo.com.my) or within the app, never on a Taplink page.

2. High-Value Data Theft: Mobile Number & PIN

The form asks for two critical pieces of information:

  • Mobile Number: Used as the account ID for most eWallets.
  • 6-digit PIN: This is the master key to your funds.
  • The Theft: Once a victim enters these details, the scammer can instantly log into the real app, change the password, and transfer all the money to another account.

3. False Sense of Security

At the bottom, there is a reassuring message: “Don’t worry, rest assured that your data are kept secure and confidential.”

  • Social Engineering: This is a psychological trick designed to lower the victim’s guard at the most critical moment. Scammers often use professional-sounding legal or security disclaimers to appear legitimate.

How to Stay Safe:

  • Check the URL twice: If you see a banking or eWallet login form on a domain like taplink.ws, it is 100% a scam.
  • Never enter your PIN on a website: Payment apps are designed to be used inside the app. Your eWallet will never ask for your PIN via a browser link sent by a stranger.
  • Enable Biometrics: Using FaceID or Fingerprint for your wallet makes it much harder for scammers to use a stolen PIN.

🛡️ Phishing Alert: The “Push Notification” Hijack

This screenshot captures the final step of an account takeover. After stealing your credentials, the scammer is now tricking you into authorizing their fraudulent login.

1. The “Check Your Phone” Trap

The page displays a convincing message: “We sent a notification to your device. Tap ‘Yes’ to complete the process.”

  • The Tactic: This is timed perfectly. While you are looking at this fake page, a real notification from the actual Touch ‘n Go eWallet app pops up on your phone.
  • The Reality: The notification you see on your phone is not to “receive points” or “verify a reward.” It is a request to authorize a new device (the scammer’s phone) to access your wallet.

2. Social Engineering: The “Continue” Button

The large “Continue” button at the bottom does nothing technical—it is purely psychological.

  • The Goal: It keeps the victim engaged and waiting on the site while the scammer waits for the victim to tap “Yes” on their mobile device.
  • The Deception: By creating a professional-looking “Processing” screen, the scammer makes the illegal login attempt feel like a legitimate part of the “Get Money” or “Get Points” flow.

3. Exploiting 2FA (Two-Factor Authentication)

  • The Breach: Scammers know that most people trust their app’s notifications. They rely on the victim’s confusion: the victim thinks they are confirming a “Safe Receipt of Funds,” but they are actually handing over the keys to their account.
  • The Result: If you tap “Yes” or enter an OTP code on this site, the scammer gains full control of your eWallet. They can immediately drain your balance and any linked bank accounts or credit cards.

How to Stay Safe:

  • Never “Authorize” via a Link: If you receive a push notification to log in while you are on a third-party website (like Taplink), always tap “No” or “Reject”.
  • Read the Notification Carefully: Real security alerts will say “Are you trying to log in from a new device?” or “Authorize this transaction?”. If you didn’t initiate it yourself inside the official app, it’s a scam.
  • Close the Browser: If a site asks you to “wait for a notification” to receive a prize, it is 100% a scam. Official rewards never require 2FA authorization.

🛡️ Phishing Alert: The “Google Login” Account Takeover

This screenshot reveals a fake Google login page hosted on Taplink. Scammers use the familiarity of Google to gain full access to your emails, photos, cloud storage, and saved passwords.

1. The Visual Deception (Impersonation)

The page uses the official Google logo and mimics the layout of a real login screen.

  • The Tactic: The text is in Indonesian (“Gunakan Akun Google Anda…”), which suggests this specific campaign is targeting users in Southeast Asia.
  • The Red Flag: A real Google login will always be hosted on ://google.com. If you see a Google login form on taplink.ws or any other domain, it is 100% a fake.

2. High-Stake Theft: Email and Password

The form asks for your Email and Password.

  • The Goal: Once the victim enters these, the scammer gains access to the victim’s primary email. From there, they can reset passwords for other services (banking, social media, crypto exchanges) and steal sensitive personal data from Google Drive and Photos.

3. Exploiting “Safe” Domains

By using sangepoints.taplink.ws, the attackers hope that the “safe” reputation of Taplink will prevent the browser from showing a “Dangerous Site” warning. They often lure victims to this page by promising “Premium Game Features” or “Early Access” that supposedly requires a Google login to “sync progress.”

How to Stay Safe:

  • Check the URL Bar: This is the most important rule. If the URL doesn’t end in google.com, do not type anything.
  • Use a Password Manager: Professional password managers (like 1Password or Bitwarden) will refuse to autofill your password on a phishing site because they recognize the domain is wrong.
  • Enable 2-Step Verification (2FA): Always use a physical security key (like YubiKey) or an Authenticator App. Never trust a login request that pops up while you are on a suspicious website.

🛡️ Phishing Alert: The “Success” Deception

This screenshot captures the moment after a victim has already submitted their Google credentials. It is a critical psychological tactic used to buy time for the attacker.

1. The Fake Success Message

The popup says: “Terima kasih atas aplikasi Anda” (“Thank you for your application”) with a green checkmark.

  • The Tactic: By showing a “Success” screen, the scammer makes the victim feel that the process is over and everything is fine.
  • The Reality: At this very second, the victim’s email and password have already been sent to the scammer’s server.

2. Psychological “Cooling Off”

  • Why it works: If the page just crashed or showed an error, the victim might realize they were scammed and immediately try to change their password or enable 2FA.
  • The Goal: The “Tutup” (“Close”) button encourages the user to simply close the tab and move on, giving the scammer minutes or hours of uninterrupted access to the stolen account.

3. Language Targeting

The Indonesian text confirms that this specific campaign (sangepoints.taplink.ws) is a localized attack. Scammers often use the victim’s native language to increase the conversion rate and build trust.

How to Stay Safe:

  • Check your Activity: If you ever realize you’ve entered data into a suspicious site, go to google.com immediately.
  • Sign out of all devices: Use the “Sign out of all sessions” feature to kick any intruders out of your account.
  • Change your password instantly: Every second counts before the scammer sets up their own recovery info.