Pocket Card Users Under Attack Via Sophisticated Phishing Campaign

A highly targeted phishing campaign is currently exploiting Pocket Card users through elaborately crafted emails that appear to originate from the legitimate financial service provider.

The campaign, active since early March 2025, has already compromised an estimated 3,000 accounts, resulting in unauthorized transactions and credential theft.

The malicious actors behind this attack employ convincing Pocket Card branding, accurate formatting, and contextually relevant messaging to trick recipients into interacting with seemingly benign attachments or embedded links.

The attack vector primarily leverages emails purporting to be security alerts, transaction confirmations, or account verification notices.

These messages prompt users to review suspicious activity or verify their credentials by clicking on embedded links that redirect to meticulously designed phishing pages.

The landing pages are nearly indistinguishable from the official Pocket Card authentication portal, featuring properly implemented SSL certificates to display the padlock icon that many users associate with security.

Broadcom researchers noted the campaign after observing a spike in credential harvesting attempts targeting financial services customers.

Their analysis revealed that these attacks use a sophisticated multi-stage payload delivery system designed to bypass traditional email security filters.

The researchers noted that the campaign employs domain typosquatting, with URLs such as “pocket-card-secure.com” and “pocketcard-verification.net” to enhance legitimacy.

Infection Mechanism Analysis

The infection process begins when victims click the malicious link, triggering a JavaScript-based redirect chain that ultimately loads the phishing page.

This page captures credentials while simultaneously launching a background process that installs a browser extension through a drive-by download technique.

The extension functions as a formgrabber, harvesting additional authentication details across multiple financial websites.

The core of this attack lies in the obfuscated JavaScript that dynamically loads content while evading detection:-

function dL(s) {
  var r = "", a = s.split(""), n = a.length;
  for(var i=0; i<n; i++) {
    r += String.fromCharCode(a[i].charCodeAt(0) ^ 7);
  }
  return decodeURIComponent(escape(r));
}
var payload = dL("mpjl<@xizp+vjvmt(kwpn)pnqvam3&^\\p}6:}");
eval(payload);

This deobfuscation routine unpacks additional malicious code that performs the credential exfiltration through encrypted channels to command and control servers, making detection particularly challenging for security solutions.

This sophisticated phishing campaign represents an evolving threat to financial service customers, combining social engineering with advanced technical evasion techniques.

Users should verify all communications through official channels and enable multi-factor authentication where available.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free