From Zelle to Your Wallet: The Mechanics of Third-Party Phishing

Over the past year, BlueVoyant’s cyber threat analysts have identified a significant rise in third-party phishing tactics, most notably with a campaign impersonating the Zelle digital payment service. By mimicking a well-known payment site like Zelle, threat actors can evade detection more effectively while collecting credentials and personally identifiable information (PII) from online users of hundreds of financial institutions.  

Third-party phishing is a phenomenon targeting hundreds of global financial institutions using intermediary sites impersonating a brand or entity users trust, before redirecting them to a phishing page. This post will provide an overview of BlueVoyant’s new report, "Intermediary Impersonation: Tracking the Zelle Third-Party Phishing Campaign," which delves into how these phishing campaigns operate, their attack methods, and how to protect against this and similar threats.

The Evolution of Phishing Tactics

First observed in 2023, the Zelle phishing campaign leverages social engineering tactics to lure victims with notifications of pending Zelle transfers. Victims are then prompted to select their financial institutions to receive the funds, increasing the campaign’s credibility and victim cooperation. BlueVoyant’s threat intelligence has observed dozens of Zelle phishing websites since 2023, indicating a targeted approach toward U.S. banking customers. 

Traditionally, phishing websites target users of a single organization, tricking them into inputting sensitive data through fraudulent webpages. However, third-party phishing sites add an extra layer of deception by initially impersonating a service like Zelle, which then redirects victims to a secondary phishing page that mimics their chosen financial institution. This method increases the campaign's reach and effectiveness, as it can target users of multiple financial institutions from a single site. 

Campaign Characteristics and Attack Flow 

BlueVoyant analyzed a phishing kit used in the Zelle third-party phishing campaign to better understand its attack flow. Upon accessing the site, victims are prompted to select their financial institution, after which they are led through several pages collecting various types of data, including: 

• Online banking account credentials (username and password) 
• Email address and password
• Payment card details (card number, accountholder name, expiration date, CVV, PIN)
• Personal details (name, last name, phone number, date of birth, social security number, driver's license number, physical address)

After a successful phishing attempt, victims are redirected to the legitimate Zelle mobile app page in the Google Play Store as a means of obfuscation. 

Further monitoring revealed several variants of the Zelle phishing kit, differing in design and the array of targeted financial institutions. One prominent variation mimics Zelle’s official homepage, listing all the financial institutions offering Zelle as part of their online banking services. Clicking an institution on the phishing site redirects victims to a fraudulent login form to harvest their credentials. 

During our investigation, we identified a GitHub repository used to store elements of the phishing kit, including logos of the targeted financial institutions. The accessibility of such kits on open developer platforms makes this tactic easily replicable for cyber criminals looking to increase the sophistication of their attacks. 

Risk Analysis and Conclusion 

The Zelle third-party phishing campaign introduces an innovative twist to traditional phishing tactics. By using intermediary sites, attackers can target a wider range of potential victims and add a layer of protection against detection. This trend underscores the importance of monitoring cyber threat activity not only targeting an organization’s own domains but also third-party phishing attempts. 

To mitigate these risks, we recommend the following steps: 

1. Be wary of phishing websites impersonating third-party entities. 
2. Educate clients and employees on third-party phishing and encourage them to closely inspect any URL that requires credentials or PII. 
3. Remediate malicious domains using third-party phishing sites quickly to mitigate risk. 
4. Partner with an end-to-end digital risk protection vendor, such as BlueVoyant, to proactively detect third-party phishing campaigns, receive validated alerts, and rapidly take down threats. 

BlueVoyant continues to monitor this Zelle campaign and will alert and take action on any new phishing websites detected as part of this campaign. Download the full report to gain deeper insights into how third-party phishing campaigns operate and how to protect your organization and its customers.