{"id":44497,"date":"2022-06-03T06:16:39","date_gmt":"2022-06-03T10:16:39","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=44497"},"modified":"2022-06-03T06:16:39","modified_gmt":"2022-06-03T10:16:39","slug":"wise-transferwise-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/wise-transferwise-phishing\/44497\/","title":{"rendered":"Phishing for Wise guys"},"content":{"rendered":"

Attackers often send phishing e-mails in the name of well-known companies to extract credentials for users\u2019 personal accounts, phone numbers and other information that can be useful for scams or account takeovers. Of course, among the most attractive targets for phishers are clients of financial organizations such as banks<\/a>, cryptoexchanges<\/a>, payment systems and the like.<\/p>\n

This time we detected phishing exploiting the online financial service Wise (until recently \u2014 TransferWise), which is used by millions. Here we analyze the setup and explain how not to fall victim to fraud and data theft.<\/p>\n

A word about Wise<\/h2>\n

Why Wise in particular? It\u2019s not just that people entrust their money to it. Until recently, the company was known as TransferWise, and its main business was low-cost cross-border money transfers. In 2021, it expanded its range of services<\/a> to include not only international transfers, but multi-currency accounts and debit cards (among others), too.<\/p>\n

As part of a rebranding, Wise dropped the \u201cTransfer\u201d from its name. Enter cybercriminals \u2014 who decided to exploit some initial confusion connected with the name change.<\/p>\n

How the scheme works<\/h2>\n

An attack begins with a phishing e-mail purporting to be from the Wise support team. The e-mail informs the victim that due to the rebranding they need to \u201cmigrate their account to the new platform\u201d.<\/p>\n

\"E-mail<\/a>

E-mail supposedly from TransferWise about moving the user\u2019s account to a new platform<\/p><\/div>\n

The inattentive user could easily mistake it as genuine, since wise.com appears in the line with the sender\u2019s name, and the message body contains the company logo with the trademark blue flag. A closer look, however, reveals a couple of more-red-than-blue flags: the sender\u2019s address consists of a random string of numbers along with words totally unrelated to Wise, and for some reason the domain belongs to\u2026 Moringa School in Kenya<\/a>! The text itself is full of errors and typos, which a reputable company wouldn\u2019t permit.<\/p>\n

There are two links in the e-mail: one supposedly pointing to the new site, the other to contact the senders. In actual fact, both lead to the same page, which automatically redirects the victim to another \u2014 phishing \u2014 website.<\/p>\n

The phishing site looks far more convincing than the e-mail, with the same welcome message and design as the real Wise site. The only difference is the image on the left of the page, and also the URL. The latter unexpectedly displays the name of an obscure app<\/a> for finding restaurants and discounted services. At this point, the cybercriminals ask the user to enter their e-mail and password for account login.<\/p>\n

\"Phishing<\/a>

Phishing version of Wise login page<\/p><\/div>\n

However, credentials are not the only personal information collected: having \u201caccepted\u201d the e-mail and password (whether real or not, there are no checks), the site asks for the victim\u2019s phone number. Incidentally, you don\u2019t need to enter your phone number to login to the real Wise site.<\/p>\n

\"Lastly,<\/a>

Lastly, the attackers ask for the Wise user\u2019s phone number<\/p><\/div>\n

When the user clicks the Continue button, the site seems to freeze: while the data is sent to the cybercriminals, the victim sees just a spinning logo with the word \u201cloading\u201d.<\/p>\n

\"The<\/a>

The phishing page lost in thought<\/p><\/div>\n

The impatient user who clicks the Continue button is again redirected to the official Wise site. The idea here is that even if the user senses something amiss and checks the URL at this point, they won\u2019t realize their data has fallen into cybercriminal hands and will just continue to go about their business.<\/p>\n

\"The<\/a>

The user is eventually redirected to the official Wise website<\/p><\/div>\n

Where does the data go<\/h2>\n

Most likely, it\u2019s phone numbers that cybercriminals want most of all. They probably collect them in databases and sell them to phone scammers. And from compromised accounts they can get additional information<\/a> about users, in particular, first name, surname and home address. Armed with such information, the phone scammers can sound far more convincing.<\/p>\n

How to stay safe<\/h2>\n

To avoid the trap and protect your data, follow some basic cybersecurity rules<\/a>.<\/p>\n