Multiple phishing domains imitating Absher, the Saudi government service portal, have been set up to provide citizens with fraudulent services and steal their credentials.
CloudSEK cybersecurity researchers made the discovery and published an advisory about the threat on Thursday.
"The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal," wrote the security experts. "The phishing website presents users with a fake login portal, compromising the login credentials."
According to CloudSEK, after the bogus 'login,' a pop-up appears on the site requesting a four-digit one-time password (OTP) sent to the registered mobile number, which is most likely used to bypass multifactor authentication (MFA) on the legitimate Absher Portal.
"Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal," CloudSEK clarified.
After completing the bogus login process, the user is prompted to fill out a registration form, revealing sensitive personally identifiable information (PII), before being redirected to a new page where they are asked to select a bank. They are then taken to a bogus bank login portal designed to steal their credentials.
"After submitting the internet banking login details, a loading icon pops up, and the page gets stuck, while the user banking credentials have already been compromised," the security researchers wrote.
According to CloudSEK, government services in the Saudi region have recently become a prime target for cyber-criminals looking to compromise user credentials and use them to launch additional cyber-attacks.
"Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia," the company wrote.
To lessen the impact of these attacks, CloudSEK urged government organizations to monitor phishing campaigns targeting citizens and to inform and educate them about the dangers, such as not clicking on suspicious links. The warning comes just weeks after CloudSEK discovered a separate phishing campaign targeting Saudi KFC and McDonald's customers.