Recently, a page has been circulating on social media with the domain retirofclgocr.com, which was created by cybercriminals with the purpose of extorting people into providing their sensitive personal data and extracting their FCL. As the Judicial Investigation Agency (OIJ) has warned on multiple occasions, false information about the withdrawal of the Labor Capitalization Fund (FCL) is currently circulating.
The page retirofclgocr.com was created on May 10th for this sole purpose, and thanks to open-source intelligence (OSINT) it is possible to verify domain information and realize that it belongs to a group of individuals with malicious intent and not to the government of Costa Rica.
Analysis:
Within the domain information found, it is possible to see highlighted information about an individual named Gabriel, located in the province of Puntarenas. Seeing this, we can infer that the person who created said page is from Costa Rica, as it contains personal information of other individuals from the region. It should be noted that in most cases, this information does not belong to the perpetrator, but is rather personal information of another individual, entered solely for the purpose of masking the origin and identity of the perpetrator.
This information is publicly available and can be obtained through WhoIs Records. Also important is the information that is often protected, as is the case with the domain to which the request is redirected, supengocr.com.
Upon entering the page, it allows us to use different functions: 3 forms focused on collecting personal data and a banks tab that serves the same function as the FCL withdrawal button:
This function makes use of the HTTP POST method, which sends our data "hidden" through a web form, and this information submission is then supplemented by the information the page requests in the following stages:
This function makes use of the HTTP POST method, which sends our data "hidden" through a web form, and this information submission is then supplemented by the information the page requests in the following stages:
After this, it redirects us to another form where it requests our email address and the site's cryptographic key or token.
You can view a copy of the site at the following link: https://web.archive.org/web/20200728032856/https://supengocr.com/. Web Archive is an initiative created to store static copies of websites, preserving them once they go offline. You can view this site for research or curiosity purposes.
In summary, perpetrators today are digitalizing their methods of manipulation and extraction of personal information from unsuspecting people who provide their personal data and sensitive information without first verifying whether said data is being requested from a trustworthy source.
(adsbygoogle = window.adsbygoogle || []).push({});
As recommendations, it is important that you and your organization educate yourselves about these methods of extortion and information extraction, not only to protect yourself but to protect others and educate those close to you to be more discerning, to avoid and report such incidents so they can be properly handled at the national level. Also learn to identify these sites, whether by consulting an expert or taking the time to investigate before providing sensitive data.
If you find any of these, do not hesitate to send us the information at [email protected] to report them properly and protect others from these extortion attempts.
Leave a Comment
Comments are reviewed before publishing.