Daviplata phishing page detected

Posted byAnti-phishing Leave a comment on Daviplata phishing page detected

Threat Analysis: Daviplata Phishing – Credential & SMS Code Harvesting

This phishing campaign impersonates Daviplata, a widely used digital wallet and mobile payment platform in Colombia, operated by Davivienda Bank. The scam uses a multi-page flow to capture the victim’s document number, Daviplata password, and the SMS verification code—the three elements needed to access the account and authorize transactions.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Login Page (First Screenshot)
The first page asks for:

  • Número de documento (Document number – typically the Colombian national ID, “cédula”)
  • Clave Daviplata (Daviplata password)

This page captures the victim’s primary account credentials.

Step 2 – Fake Waiting/Loading Page (Second Screenshot)
The second page displays a fake loading message with a countdown timer (23 seconds), claiming that a code is being sent to the victim’s phone. This page serves two purposes:

  • It creates a sense of legitimate processing
  • It buys time for the attacker to use the stolen credentials to log into the real Daviplata platform and trigger an SMS code to the victim’s phone

Step 3 – Fake SMS Code Page (Third Screenshot)
The third page asks for the SMS verification code sent to the victim’s mobile phone. When the victim enters this code, the attacker captures it and uses it to complete the login on the real Daviplata platform.

The goal:
The attacker aims to:

  • Steal the victim’s Daviplata credentials (document number and password)
  • Capture the SMS verification code (2FA) in real time
  • Gain full access to the victim’s Daviplata account to transfer funds, make payments, and commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not daviplata.com or any official Davivienda/Daviplata domain. Legitimate Daviplata access is through the official mobile app or website. Always check the address bar.
  • Unsolicited login request: Daviplata does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access their accounts by opening the official app or typing the official URL directly.
  • Fake loading page with countdown: Legitimate banking apps and platforms do not display artificial countdown timers during login. This is a classic phishing tactic to buy time for the attacker to use stolen credentials on the real site.
  • Multi-step design with SMS code request: After entering credentials, the victim is asked for an SMS code. This mirrors the real 2FA flow, making it convincing, but the pages are fake.
  • Minimal design: The pages lack the full branding, security notices, and personalized elements present on the legitimate Daviplata interface.

What to do if you encounter this:

  • Do not enter your document number, password, or SMS verification code on these pages.
  • If you are a Daviplata user, always access your account by opening the official Daviplata mobile app or by typing the official website URL directly into your browser.
  • If you have already entered your credentials but not the SMS code, change your Daviplata password immediately and contact Davivienda’s customer service to secure your account.
  • If you have entered the SMS code as well, the attacker may have already accessed your account. Contact Davivienda’s fraud department immediately to block your account and reverse any unauthorized transactions.
  • Report the phishing pages to Davivienda’s fraud team.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. The attacker uses the stolen document number and password immediately to log into the real Daviplata platform and trigger an SMS code. The fake loading page buys time for this process. When the victim enters the SMS code on the phishing page, the attacker uses it to complete the login—often within seconds. Daviplata is a popular digital wallet in Colombia, and many users keep significant balances or link their accounts to bank cards, making successful attacks financially damaging.

Protective measures:

  • Always access Daviplata through the official mobile app or by typing the official website URL directly—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate domains, not on phishing sites.
  • Never enter your SMS verification code on a page you reached via a link. Legitimate platforms only ask for 2FA codes after you have initiated a login on their official app or website.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your account.
  • Check the URL carefully: Legitimate Daviplata domains are associated with daviplata.com and davivienda.com. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Davivienda directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Leave a comment

Your email address will not be published. Required fields are marked *