Home Uncategorized Scam that steals Nubank password and Google asks for selfie with RG


Scam that steals Nubank password and Google asks for selfie with RG

by Ace Damon
Scam that steals Nubank password and Google asks for selfie with RG

Scams involving Nubank have been proliferating on Facebook and Instagram, but criminals are still betting on a more traditional medium: SMS spam. I received a message for a phishing website that tries to steal passwords from Nubank and Google; he even asks for a selfie with RG or CNH twice.

It all started with an SMS message: "owner (my mobile number) you received an important message Nubank vizualize tinyurl.com/xxxxx". The typos and the shortened link via TinyURL are enough for an experienced user to know it is a scam, but I decided to take the bait.

Website with Nubank scam has secure connection lock

The link leads to a page that mimics the Nubank interface, asking for your CPF and password. The browser shows the lock indicating that the connection is secure: the certificate is from CloudFlare, which offers free SSL protection for sites hosted on the service.

As we said before, the lock doesn't want the site to be secure: it just means that the information will travel encrypted over the internet until it reaches its destination – in this case, the end point is a data thief.

It is possible to use online tools to generate valid CPF numbers; this is for testing software in development or for investigating phishing scams without giving away personal data. The page requires at least 8 characters in the password field; then she asks for the four-digit card password.

The turnaround, for me, came after the site asked for my email address: it took me to a page imitating Google and asking for a password. The blow within the blow surprised me.

Fake Nubank website asks for selfie with ID or CNH

It didn't stop there: the page said that my device was not authorized, so I had to send a selfie with ID or driver's license (!). I accessed the phishing site twice: on my cell phone, I sent a photo of my table; on the desktop, I sent an image of the new Xiaomi Mi 10 Pro.

No matter which image you send, the website will ask you to send another one, saying: "the photo where you must hold your document next to your face (selfie) must be taken by yourself, without covering your face with the document ".

Again, I sent a picture of my desk (on the phone) and the Mi 10 Pro (on the desktop). In both cases, the same message appeared: "Your request for the Nubank verification procedure has been successfully completed".

Nubank recommends using official channels

If you suspect phishing, Nubank makes this suggestion on its official blog: "contact the company through the official service channels or access the page through your browser, and not through the link sent".

The scam page has a digital nubank.ibacesso (.) Domain, registered in December 2019. Since this site appears to be new, Google Chrome does not yet announce that it is a scam: normally, the browser displays a red alert in these cases.

In Firefox, I was unable to open the page. I received a 1020 access denied error with a warning from Cloudflare: "This site is using a security service to protect against online attacks". It's easy?


Related Articles

Leave a Comment

six + 5 =

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More