Crossing the Andes: Sophisticated Loan Phishing Scams Hit Peru

A sophisticated wave of digital fraud is sweeping through Peru, targeting vulnerable individuals with the promise of easy money, only to strip them of their financial credentials. A new report from Group-IB reveals a technically mature phishing campaign that exploits the desperation of those seeking loans, marking a significant escalation in regional cybercrime.

The operation, which mirrors similar schemes seen in Brazil, relies on a potent mix of psychological manipulation and technical precision.

The campaign begins not with a suspicious email, but with targeted advertisements on social media. These ads lure victims to professionally designed websites impersonating one of Peru’s leading banks.

“Crossing the Andes, we found ourselves in the digital valleys of Peru, where a new variation of the loan scam awaited us,” the report begins. “Much like the schemes in Brazil, these operations played on hope and desperation, luring victims with promises of financial relief”.

Once a user clicks through, they are presented with a “seemingly legitimate loan application process”. But instead of approving credit, the site is designed for one purpose: harvesting valid credit card numbers and PIN codes.

What sets this campaign apart is the attackers’ refusal to accept “junk” data. They have implemented client-side validation scripts to ensure they only steal usable credentials.

According to Group-IB, “They used the Luhn algorithm to check the validity of entered credit card numbers, ensuring scammers only deal with high-quality credentials”.

This algorithm—a standard checksum formula used to validate a variety of identification numbers—allows the scammers to filter out mistyped or fake numbers in real-time. This “reduces noise for the scammers” and ensures that every stolen card has a higher probability of being monetized.

The technical architecture of the scam reveals a scalable and modular operation. The attackers utilize a custom JavaScript function, gegsdfgsh(), to map numeric inputs to specific Spanish-language themes like mi-prestamo-nacion (my national loan) or dineroalinstante (instant money).

“These endpoints reinforce the illusion of legitimacy and suggest a modular backend capable of simulating multiple loan brands or services,” the researchers noted.

Furthermore, the scripts are strategically placed in temporary subdirectories like /temp/js/, indicating an infrastructure designed for rapid deployment and easy reconfiguration across multiple campaigns.

The scale of the operation is growing. Group-IB has identified “approximately 370 unique domains” linked to this fraud campaign since 2024. While the focus began in Peru, the threat actors are already expanding their targets to financial institutions in other Latin American countries.

As the report concludes, this is no longer amateur hour. “Phishing operations in Peru, particularly those tied to fake loan offerings, demonstrate increasing technical maturity”. By combining social engineering with robust code, these scammers have turned financial desperation into a streamlined business model.

Related Posts:

• Cross Fork Object Reference (CFOR): GitHub’s New Security Vulnerability
• Chinese Fraudsters Target India’s UPI: The Rise of Counterfeit Loan Apps