Advisory: GCash Phishing Emails Spotted

Update: September 6, 2022 - We are still receiving different variants of GCash-related phishing emails. IOCs and Email sample screenshots are uploaded.

On September 4, 2022, we received an email that appeared to be from GCash. Further investigation verified that the email was suspicious and is a phishing email based on common phishing email characteristics.

The sender's email may have been compromised and used to send phishing emails. The URL in the recipient's account verification email is not associated with GCash and may have been created for phishing purposes.

GCash is one of the most famous and widely used digital wallets in the Philippines, mainly used for payments, bank transfers and other digital transactions. Here in the Philippines, mobile wallets or digital wallets have been booming since the pandemic began as the need for cashless and contactless payment and money transfer options has increased. Along with that, attackers also joined the hype and started crafting phishing emails targeting GCash.

Sample screenshot of the e-mail showing a different sender and a URL not associated with GCash

Screenshot of the suspicious URL, it was made to look like the login page for GCash

As a general rule, always keep an eye on the emails you receive. Check the sender and the URL in the email.

IOCs:

hxxps[:]//bronzgreen[.]com/real/apply/

hxxps[:]//mdmcleaning[.]nl/mobil/login

hxxps[:]//cleanhome[.]ph/member/social/

hxxps[:]//sfsptwincities[.]org/onliness

hxxps[:]//hansbeers[.]com/news/develop/

hxxps[:]//chicdefriemelontour[.]nl/takeit/device/

hxxps[:]//oroquietacity[.]gov[.]ph/wp-includes/m.gcash.com/authentication/

hxxps[:]//mobilegcash[.]com/

hxxps[:]//gcashn[.]com/

Email samples: