Scams involving Nubank have been proliferating on Facebook and Instagram, but criminals are still betting on a more traditional medium: SMS spam. I received a message for a phishing website that tries to steal passwords from Nubank and Google; he even asks for a selfie with RG or CNH twice.
It all started with an SMS message: "owner (my mobile number) you received an important message Nubank vizualize tinyurl.com/xxxxx". The typos and the shortened link via TinyURL are enough for an experienced user to know it is a scam, but I decided to take the bait.
Website with Nubank scam has secure connection lock
The link leads to a page that mimics the Nubank interface, asking for your CPF and password. The browser shows the lock indicating that the connection is secure: the certificate is from CloudFlare, which offers free SSL protection for sites hosted on the service.
As we said before, the lock doesn't want the site to be secure: it just means that the information will travel encrypted over the internet until it reaches its destination – in this case, the end point is a data thief.
It is possible to use online tools to generate valid CPF numbers; this is for testing software in development or for investigating phishing scams without giving away personal data. The page requires at least 8 characters in the password field; then she asks for the four-digit card password.
The turnaround, for me, came after the site asked for my email address: it took me to a page imitating Google and asking for a password. The blow within the blow surprised me.
Fake Nubank website asks for selfie with ID or CNH
It didn't stop there: the page said that my device was not authorized, so I had to send a selfie with ID or driver's license (!). I accessed the phishing site twice: on my cell phone, I sent a photo of my table; on the desktop, I sent an image of the new Xiaomi Mi 10 Pro.
No matter which image you send, the website will ask you to send another one, saying: "the photo where you must hold your document next to your face (selfie) must be taken by yourself, without covering your face with the document ".
Again, I sent a picture of my desk (on the phone) and the Mi 10 Pro (on the desktop). In both cases, the same message appeared: "Your request for the Nubank verification procedure has been successfully completed".
Nubank recommends using official channels
If you suspect phishing, Nubank makes this suggestion on its official blog: "contact the company through the official service channels or access the page through your browser, and not through the link sent".
The scam page has a digital nubank.ibacesso (.) Domain, registered in December 2019. Since this site appears to be new, Google Chrome does not yet announce that it is a scam: normally, the browser displays a red alert in these cases.
In Firefox, I was unable to open the page. I received a 1020 access denied error with a warning from Cloudflare: "This site is using a security service to protect against online attacks". It's easy?