DigiD phishing attacks, this is how criminals do it

Published by Reza Rafati on

Threat actors and cybercriminals are abusing the brand of DigiD to lure unaware users into fraudulent forms that only have one goal; to steal the credentials of the victims so they can be abused in the (near) future.

Phishing remains to be one of the lucrative ways a cybercriminal can make money. The phishing attacks when compared to the last decade have not changed in lay out, but the team structure that works on these attacks has changed.

We are seeing that these attacks are often performed by multiple persons that work together to setup the full campaign. The responsibilities can be such as:

  • Getting the phishingkit
  • Setting up the phishingkit
  • Setting up the hosting environment
  • Setting up the URL shorteners
  • Sending out the (SMS) messages
  • Accessing the stole accounts
  • Retrieving money from the stolen accounts
  • Move/spend the stolen money for goods or services

Dutch police

The Dutch police is very active in hunting these criminals down. Almost every week we can see on the official site of The Dutch police that they have arrested a group of young people that are performing these types of phishing attacks. A couple of weeks ago, the Dutch police also reported that influencers are being used by cybercriminals to use the influencers network to spread and setup these phishing attacks. That specific influencer was invited for a nice talk with the Dutch police.

DigiD attacks

When we take a look at the attacks aimed at the brand of DigiD, we can see that the criminals are using this brand and other famous banking brands to have as much as impact as possible. Instead of just posting 1 specific bank login, the criminals create or use phishingkits that have a wide range of banking login forms from various brands.

One of the phishing landing pages showing the wide range of banks that are being abused in the attack.

Once a victim clicks on one of these bank buttons, it will be redirected to another “fake” login page of the selected bank. In this window, the cybercriminals try to obtain the credentials of their victims.

Messages sent out to potential victims

The Netherlands has seen a rise in malicious SMS messages and Whatsapp messages that are being sent towards potential victims. Most of these messages contain an URL shortened link which lead to the phishing landing page once clicked.

One of them is for example:

Malicious URL shortened link

Another method that is widely used is the “hello mom/dad” message, which is used by the cybercriminals to convince parents / elders to add a new phone number as the old phone number of their relative or child has changed. The criminal will then follow-up with a fake story about needing funds. The main goal in this attack is to convince the elder / parent to send money from their bank to another bank account. This in short, is called an social engineering attack.


As always, only use your official banking site when banking, or use the official application. If someone asks you to send money (familiar person), always try to call them first and hear them out. Most likely you will directly notice that the person is not picking up, or is picking up with a different voice. When it comes to money, never rush.

Share this information
Categories: Cybercrime

Reza Rafati

Founder of Cyberwarzone.com.