A highly targeted phishing campaign is currently exploiting Pocket Card users
through elaborate, deceptive emails that appear to originate from the legitimate financial service provider. Active since early March 2025, the campaign has already compromised an estimated 3,000 accounts, leading to unauthorized transactions and credential theft. The attackers use convincing Pocket Card branding, accurate formatting, and contextually relevant messages to lure victims into clicking on malicious links or opening seemingly harmless attachments.
The attack primarily involves emails disguised as security alerts, transaction confirmations, or account verification notices. These emails urge recipients to review suspicious activity or verify their credentials by clicking on embedded links that redirect them to carefully crafted phishing websites. The phishing pages are nearly identical to Pocket Card’s legitimate authentication portal, complete with properly implemented SSL certificates that display a padlock icon, misleading users into believing the site is secure.
Security researchers at Broadcom discovered the campaign after detecting a surge in credential harvesting attempts targeting financial service users. Their analysis revealed that the attackers employ a multi-stage payload delivery system designed to bypass traditional email security filters. A key technique used is domain typosquatting, where attackers register lookalike domains such as “pocket-card-secure.com” and “pocketcard-verification.net” to make their phishing sites appear more legitimate.
Infection Mechanism Analysis
The infection process begins when victims click the malicious link, triggering a JavaScript-based redirect chain that ultimately leads to the phishing page. While the phishing site captures login credentials, a hidden background process simultaneously installs a malicious browser extension through a drive-by download technique. This extension acts as a formgrabber, collecting additional authentication details across multiple financial websites. Further, a deobfuscation routine executes additional malicious code, which exfiltrates stolen credentials via encrypted channels to command-and-control servers, making detection particularly difficult for security software.
This highly sophisticated phishing campaign poses an evolving threat to financial service customers, combining social engineering tactics with advanced technical evasion techniques. To mitigate risks, users should always verify communications through official channels and enable multi-factor authentication (MFA) wherever possible to add an extra layer of security against credential theft.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
