Banco República (Uruguay) phishing page detected

Posted byAnti-phishing Leave a comment on Banco República (Uruguay) phishing page detected

Threat Analysis: Banco República (BROU) Phishing – Credential & Digital Key Harvesting

This phishing campaign impersonates Banco República (BROU) , the largest and state-owned bank in Uruguay. The scam uses a multi-step process to capture the victim’s document number, password, and the “Llave Digital” (Digital Key)—a one-time code used for transaction authorization—allowing attackers to bypass two-factor authentication and take over the account.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Document Number & Password Page
The first page mimics BROU’s login interface. It asks for:

  • Country (pre-selected as Uruguay)
  • Document type (pre-selected as C.I. – national ID)
  • Document number
  • Password

This page captures the victim’s primary banking credentials.

Step 2 – Fake “Llave Digital” (Digital Key) Page
The third page (the second image failed to load) asks for the victim’s Llave Digital—a 6-digit two-factor authentication code (either generated by an app, sent via SMS, or from a physical token). This code is typically required to authorize transactions or complete login. By capturing it, the attacker can bypass security measures.

The goal:
The attacker aims to:

  • Steal the victim’s BROU online banking credentials (document number and password)
  • Capture the Llave Digital (2FA code) to authorize transactions
  • Gain full access to the victim’s bank account, enabling fund transfers and other fraudulent activities

With both the login credentials and the one-time code, the attacker can log in and complete transactions in real time—often before the victim realizes their account has been compromised.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not brou.com.uy or any official BROU domain. Legitimate BROU online banking is accessed through the bank’s official website. Always check the address bar.
  • Unsolicited login request: BROU does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official app.
  • Multi-step design: The flow asks for credentials in stages, which is common in sophisticated phishing kits designed to capture both primary credentials and 2FA codes.
  • Generic design elements: While the pages mimic BROU’s branding, they lack the full navigation, personalized security images, and account-specific information that would appear on a legitimate logged-in session.
  • Request for Llave Digital: The third page asks for the 2FA code without context. Legitimate banking processes only ask for this code after the user has already initiated a login or transaction within a trusted environment.

What to do if you encounter this:

  • Do not enter your document number, password, or Llave Digital (2FA code) on these pages.
  • If you are a BROU customer, always access online banking by typing brou.com.uy directly into your browser or by using the official BROU mobile app.
  • If you have already entered your credentials, contact BROU immediately through their official customer service hotline to block your account and change your password.
  • If you entered a Llave Digital code that you received via SMS or generated from an app, that code may have already been used by the attacker to authorize a transaction. Check your account for unauthorized activity immediately.
  • Report the phishing page to BROU’s fraud department.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. By capturing both the login credentials and the one-time Llave Digital (2FA code), the attacker can bypass the bank’s primary security control. The multi-step design also makes the scam feel more “official” to victims who are accustomed to multi-page login flows on the real BROU site.

Protective measures:

  • Bookmark the official BROU login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate brou.com.uy domains, not on phishing sites.
  • Never share your Llave Digital with anyone or enter it on a page you reached via a link. BROU will never ask for this code via email or unsolicited messages.
  • Enable additional security alerts on your bank account to receive notifications of transactions.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate BROU domains end with brou.com.uy. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact BROU directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Leave a comment

Your email address will not be published. Required fields are marked *