Group-IB CERT researchers found this phishing scheme and called it PHISLES This article explores banks careful emails. . They also confirmed that it has been going on since January 2024.

Their investigation found that more than 900 harmful links were sent to people who might have been victims, and at least three major Philippine banks were impersonated. Victims get emails that look real and warn them about unauthorized transactions or logins from devices they don't know about. These messages tell people to click a link and give their bank information. Once a victim types in their username, password, and OTP on a fake banking page, attackers act right away, and money is taken out within minutes.

This campaign works well because it uses hacked email accounts in a smart way. These are real email addresses that were stolen from combolists, stolen credentials traded on dark web forums and Telegram channels, and other places. People who use banks should be careful about emails that seem urgent and make sure they enter their login information only after checking the full URL.

They should not use the same passwords for different services and should change their passwords often. They should also turn on multi-factor authentication for all of their accounts. Banks and other financial institutions should use official channels to let customers know about active scam campaigns. When loading external banking assets like images or scripts, security teams should set up systems to find unauthorized Referer headers from cloud subdomains.

The most troubling discovery was that the domain of a real Philippine school was taken over.

Attackers got real SSL certificates and sent all traffic to their own servers without stopping school operations. The campaign is still going on. Group-IBCERT researchers say that more than 400 people have been affected since January 2024, and the campaign is still going on.

The goal is to get around Secure Email Gateways, which stop links that look suspicious or have a bad reputation. It fooled security tools into believing that everything was okay. This campaign was aimed at a number of specific services. People thought Google Business Profile links were trustworthy, so they were used.