Multiple phishing domains impersonating Absher, the Saudi government service portal, have been set up to provide fake services to citizens and steal their credentials.
The discovery comes from cybersecurity researchers at CloudSEK, who published an advisory about the threat on Thursday.
"The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal," wrote the security experts. "The phishing website presents users with a fake login portal, compromising the login credentials."
According to CloudSEK, after the fake 'login' action, a pop-up appears on the site prompting a four-digit one-time password (OTP) sent to the registered mobile number, probably used to bypass multifactor authentication (MFA) on the legitimate Absher Portal.
"Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal," CloudSEK clarified.
Once the fake login process is complete, the user is then asked to fill in a 'registration' form, divulging sensitive personally identifiable information (PII), and redirected to a new page where they are prompted to choose a bank. They are then directed to a fake bank login portal designed to steal their credentials.
"After submitting the internet banking login details, a loading icon pops up, and the page gets stuck, while the user banking credentials have already been compromised," the security researchers wrote.
According to CloudSEK, government services in the Saudi region have recently been a prime target for cyber-criminals to compromise user credentials and use them to conduct further cyber-attacks.
"Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia," the company wrote.
To mitigate the impact of these attacks, CloudSEK called on government organizations to monitor phishing campaigns targeting citizens and inform and educate them about these dangers, for instance, by telling them not to click on suspicious links.
The advisory comes weeks after CloudSEK discovered a separate phishing campaign targeting KFC and McDonald's customers in Saudi Arabia.