Peruvian Scam Steals Card Details with Fake Loan Apps

A sophisticated financial fraud scheme operating in Peru has been exposed, revealing a methodical campaign where criminals use deceptive loan applications to harvest credit card numbers and personal identification numbers from victims. This operation highlights a dangerous trend of blending polished social engineering with technical validation to efficiently steal monetizable banking credentials.

Active since the beginning of 2024, the campaign expertly impersonates reputable banks and lenders. Its effectiveness lies in a multi-stage verification process that filters out fake data, ensuring criminals only collect high-quality, usable financial information. Cybersecurity analysts at Group-IB have traced the scheme to at least 16 domains pretending to be a major Peruvian bank, with roughly 370 unique domains connected to the overall network.

The scam typically originates with ads on social media platforms, promoting quick and easy loan approvals. Researchers identified about 35 distinct advertisements circulating between 2024 and 2025. Clicking an ad directs users to a fraudulent website that is a near-perfect replica of a legitimate financial institution’s loan portal.

The first step asks for a national identification number. The site performs a basic check on the number’s format, accepting any entry that appears valid. This initial “success” is a psychological trick, making the process seem authentic and encouraging the user to proceed further.

The scam employs a staged verification system designed to build false trust. After entering their ID, users see personalized loan offers and provide contact details like phone numbers and email addresses, which undergo minimal scrutiny. The scheme then presents a critical choice for identity confirmation: facial recognition or bank card validation.

The facial recognition option is intentionally non-functional and always fails, steering victims toward the only remaining path, entering their card details. Here, the technical precision of the scam becomes clear. Card numbers are validated in real-time using the Luhn algorithm, a standard formula for checking the validity of credit card numbers. This step ensures only potentially active card details move forward.

Once a card passes this check, the victim is prompted to surrender the most sensitive data: online banking passwords and the card’s 6-digit PIN. At this juncture, the stolen credentials are complete and ready for criminals to monetize through fraudulent transactions or sales on the dark web.

While the primary focus has been Peru, the operation’s infrastructure supports impersonation of financial brands in other Latin American countries, including Colombia, El Salvador, Chile, and Ecuador. This regional expansion demonstrates the scalable and adaptable nature of the threat.

Group-IB emphasized that this blend of psychological manipulation and technical filtering requires a robust defensive response. They advise financial institutions to prioritize customer education on identifying suspicious loan offers, enhance digital risk monitoring systems, implement layered security defenses like multi-factor authentication, and participate in threat intelligence sharing with other organizations.

For individual consumers, vigilance is key. Always use official banking channels and meticulously verify website URLs before entering any information. Never share sensitive details like full card numbers, CVV codes, or online banking passwords through unsolicited links or unfamiliar platforms.

The report also calls for action from regulators and policymakers, suggesting that fostering regional collaboration, supporting public awareness campaigns, and holding digital advertising platforms accountable for hosting fraudulent ads are essential steps in combating these evolving scams.

(Source: InfoSecurity Magazine)