Multiple phishing domains impersonating Absher, the Saudi government service portal, have been set up to provide fake services to citizens and steal their credentials.
The discovery comes from cybersecurity researchers at CloudSEK, who published an advisory about the threat on Thursday.
“The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal,” wrote the security experts. “The phishing website presents users with a fake login portal, compromising the login credentials.”
According to CloudSEK, after the fake ‘login’ action, a pop-up appears on the site prompting a four-digit one-time password (OTP) sent to the registered mobile number, probably used to bypass multifactor authentication (MFA) on the legitimate Absher Portal.
“Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal,” CloudSEK clarified.
Once the fake login process is complete, the user is then asked to fill in a ‘registration’ form, divulging sensitive personally identifiable information (PII), and redirected to a new page where they are prompted to choose a bank. They are then directed to a fake bank login portal designed to steal their credentials.
