Earn Money online SMShing campaign targets Indian netizens

January 12, 2022 SecurifideAdvisory
0 Comment
cybercrime, earn-money-online, fraud, phishing, smishing

Happy New Year 2022 to all Netizens!

We are still making new year resolutions and shiny promises to ourselves to make our life better, aside cyber criminals are actively targeting Indian netizens and luring them to get a instant personal loan, business loan, free cashbacks by playing games, etc. so that they can collect PII (Personal Identifiable Information) and utilise these information to compromise user’s financial data.

Our researchers have received 30+Smshing (Phishing SMS) messages since January 1, 2022, and it’s still on the roll.

Fig1:- SMShing messages

Initial Analysis

Upon receiving these text messages, we identified that all the text messages have been sent by “unique mobile numbers”, and content of the message are “attractive offering” and “urgency” which persuades users to click on the link and perform the actions like — “verify email”, “download the app”, “verify the details”, “check loan status”, “withdraw the amount”, etc.

Fig2:- Collaborative details of text messages

Drill Down

Noticing the spike in the SMS, it clearly showcase the intention of cyber criminals, that they want their potential victims to click on the URL and get phished.! We started our investigation, by analysing the URLs first and found out that all the URLs are redirecting to a website called “www.mailrupee.com”.

Fig3:- Collaborative analysis of URL on SMS
Fig4:- Main website

Mailrupee.com is a website that claims “you can earn money online from home”. The platform also claims everyone can get paid for checking each promotional email from the mailrupee.com portal.

The website(www.mailrupee.com) under investigation is hosted on IP address (62.171.137.2), which is located in Nuremberg, Germany. We further noted that this IP address is also actively hosting multiple spaming/phishing domains.

Fig4:- Domain & DNS record
Fig5:- HTTPS ‘Request’ captured to show the credentials in clear text

Although, during the investigation, we also noted that the url (https://www.mailrupee[.]com) has ‘https’ prefix, means that all communications between your browser and the website you are visiting are encrypted. But we found that the credentials entered on the website are visible in clear text. In this case, it’s very risky as user might blindly enter their secure credentials on the website thinking it’s a ‘https’ and their data is secured but it’s otherwise.

Fig6:- User account Dashboard in mailrupee.com

We tried to Signup on the website (https://www.mailrupee[.]com) by using dummy credentials. Boom! we were able to create the user account and website landed us to a Dashboard, which shows a popup stating “Participate in 12 inbox emails and earn ₹12,310” (on the right-hand side of the screen). Along with that there were12 unread messages with various amounts and a link to participate. After clicking on the “Click here to Participate”, it takes you to another Ad based websites, but still we didn’t get the claim amount in the wallet.

At last, we were able to conclude with moderate confidence that the website (www.mailrupee[.]com) is used for spamming the users and collect user credentials and personal information.

Conclusion

There are high chances that cybercriminals have made these websites to gather critical information and PII (Personal Identifiable Information) of the users. The stolen credentials or information could be used by cyber criminals for conducting other malicious activities like:-

  1. Brute Forcing — using stolen credentials on users email and social media accounts.
  2. Subscription Frauds — using stolen personal information to impersonate the victim.

Lessons Learnt

We have listed some essential best practices that create the first line of control against these type of fraudulent attempts. We recommend our readers to follow the best practices given below:-

  1. Do not panic, once you receive these kind of messages — Verify all the sender details before trusting a message, which deals with asking any personal information from you.
  2. Avoid clicking on any links, which you receive through SMS, as these URLs might be harmful.
  3. Look for attractive offering and urgency in the message received, like — verify email”, “download the app”, “verify the details”, “check loan status”, “withdraw the amount”, etc. to avoid falling for the fraudsters lure.
  4. Look for relevancy of the text messages which you receive as some are irrelevant and might persuade you to click on the links in messages.
  5. Use DND subscription to block any irrelevant messages, Also report any unsolicited messages to your Telecom Operator or Authority.

Observables

  1. 62.171.137[.]2
  2. 185.177.59[.]153
  3. 167.86.93[.]184
  4. hxxps://www[.]mailrupee[.]com
  5. hxxp://2nvr[.]com
  6. hxxps://www.newspoint[.]in

About Us

Security Chronicle is a team of independent security researchers and a dedicated platform to educate, aware netizens on #security #risks & #threats.

Twitter LinkedIn

cybercrime
cybercrime

Leave a Reply

Your email address will not be published. Required fields are marked *