Banco G&T Continental phishing page detected

Posted byAnti-phishing Leave a comment on Banco G&T Continental phishing page detected

Threat Analysis: Banco G&T Continental Phishing – Credential & SMS Token Harvesting

This phishing campaign impersonates Banco G&T Continental, one of the largest banks in Guatemala. The scam uses a multi-page flow to capture the victim’s online banking credentials and then the SMS token (two-factor authentication code) , allowing attackers to bypass security measures and gain full access to the account.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Login Page (First Screenshot)
The first page asks for:

  • Usuario (username)
  • Contraseña (password)

This page captures the victim’s primary online banking credentials.

Step 2 – Fake Loading/Waiting Page (Second Screenshot)
The second page displays a fake loading message, stating that the victim’s credentials are being verified. A countdown timer (20 seconds) creates a sense of legitimate processing while the attacker, in the background, uses the stolen credentials to log into the real bank site and trigger an SMS token to the victim’s phone.

Step 3 – Fake SMS Token Page (Third Screenshot)
The third page asks for the SMS token (the two-factor authentication code sent to the victim’s mobile phone). When the victim enters this code, the attacker captures it and uses it to complete the login on the real Banco G&T Continental site.

The goal:
The attacker aims to:

  • Steal the victim’s online banking credentials (usuario and contraseña)
  • Capture the SMS token (2FA code) in real time
  • Gain full access to the victim’s bank account to transfer funds, pay bills, and commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not gyb.com.gt or any official Banco G&T Continental domain. Legitimate online banking is accessed through the bank’s official website. Always check the address bar.
  • Unsolicited login request: Banco G&T Continental does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official app.
  • Fake loading page with countdown: Legitimate banking sites do not display artificial loading countdown timers during login. This is a classic phishing tactic to buy time for the attacker to use the stolen credentials on the real site.
  • Multi-step design with SMS token request: After entering credentials, the victim is asked for the SMS token. This mirrors the real 2FA flow, making it convincing, but the pages are fake.
  • No personalization or security image: Legitimate Banco G&T Continental login pages may display a security image or personalized greeting. These pages lack such features.
  • Outdated copyright: The footer shows “2022” (the screenshots are from 2023). While not a definitive red flag, outdated copyright notices are common in phishing pages.

What to do if you encounter this:

  • Do not enter your usuario, contraseña, or SMS token on these pages.
  • If you are a Banco G&T Continental customer, always access online banking by typing gyb.com.gt directly into your browser or by using the official mobile app.
  • If you have already entered your credentials but not the SMS token, contact Banco G&T Continental immediately to change your password and secure your account.
  • If you have entered the SMS token as well, the attacker may have already accessed your account. Contact the bank’s fraud department immediately.
  • Report the phishing pages to Banco G&T Continental’s fraud team.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. The attacker uses the stolen username and password immediately to log into the real bank site and trigger an SMS token. The fake loading page buys time for this process. When the victim enters the SMS token on the phishing page, the attacker uses it to complete the login—often within seconds. By the time the victim realizes something is wrong, the attacker may have already transferred funds.

Protective measures:

  • Bookmark the official Banco G&T Continental login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate gyb.com.gt domains, not on phishing sites.
  • Never enter your SMS token on a page you reached via a link. Legitimate banks only ask for 2FA codes after you have initiated a login on their official site.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate Banco G&T Continental domains end with gyb.com.gt. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Banco G&T Continental directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Leave a comment

Your email address will not be published. Required fields are marked *