Sensitive financial information is always a lucrative target for cybercriminals. Threat actors often use advanced techniques in their phishing campaigns to harvest victims’ banking data. A recent investigation from Cyber Peace Foundation, an Indian-based think tank of cybersecurity and policy experts, revealed that threat actors are targeting users with a malicious URL “http://204.44.124[.]160/ITR,” asking them to apply for the disbursement of an income tax refund. They are distributing a malicious link that redirects the users, when clicked, to a fake income tax e-filing web page that tricks the users into entering personal information.
Attackers duplicated the layout and features of the official income tax website on their phishing page to trick unwitting users.
Multiple Banks on Target
According to Cyber Peace, the targeted banks in this phishing campaign include the State Bank of India, HDFC, ICICI, Axis Bank, and Punjab National Bank. “The campaign is collecting personal as well as banking information from the user and getting into this type of trap could cause a massive financial loss for the users,” Cyber Peace said.
Hackers Operating from Abroad
It was found that the fraudulent links originated from the U.S. and France. The shared SMS with the malicious link has no domain name and is not linked with the Indian government.
“All IP addresses associated with the campaign belong to some third-party dedicated cloud hosting providers. The whole campaign uses a plain HTTP protocol instead of secure HTTPS. This means anyone on the network or internet can intercept the traffic and get the confidential information in plain text to misuse against the victim,” Cyber Peace added.
How are users phished?
- If a user clicks on the fake link it redirects to a landing page that is mostly like the government income tax e-filing website.
- Upon clicking the Proceed to the verification steps option, users are asked to submit personal details like full name, PAN, Aadhar number, contact details, address, pin code, date of birth, email address, gender, marital status along with bank details like account number, IFSC code, card number, expiry date, CVV/CVC, and card PIN.
- Once the user submits the required data, the page then asks to confirm the entered data.
- On clicking the confirm option, the user is redirected to a fake banking login page mimicking the legitimate one, which asks for the username and password for online banking.
- Once submitted, a mobile verification section with instructions provided to download an Android application (.apk file) appears, to complete the ITR verification.
- Users are asked to grant all device permissions to this .apk application.
- The application apk starts downloading upon clicking the download link, which later exfiltrates sensitive data for the victim’s device.
Since this phishing campaign uses “HTTP” web protocol, the requests and responses are sent in plain text or clear text that can be read by anyone on the internet.
- Related Story: Five Phishing Baits You Need to Know