KYC SMShing campaign targeting SBI customers

December 24, 2021 SecurifideAdvisory
0 Comment
cybercrime, ecrime, phishing, sbi, smishing

Online fraud or E-crime have become quite a handy business for cybercriminals in the current digital space and virtual working environment, as it often results in stolen personal identifiable information. “Update your KYC” or “Link your Aadhar” are the common keywords used by cybercriminals to lure the netizens.

After our Twitter Alert on KYC SMShing campaign, one of our followers have notified us regarding a similar fishy SMS, which they received on 20/Dec/2021.

Fig1:- KYC SMShing Campaign Alert / Fig2:- Fishy SMS received by Follower

Upon receiving the notification from the follower, our researchers quickly responded and analysed the SMS and have jotted down the findings in this blog:-

Fig:3- Landing page after click on onlinenow[.]co[.]in / Fig:4- After clicking on “Continue to Login”

Dissecting the URL

We first analysed the shortened URL (https[:]//bit[.]ly/3FddmS1) linked to the SMS, and found that it is redirecting to a fake SBI Net banking login page (http[:]//onlinenow[.]co[.]in/), which almost looks like a genuine login page of SBI.

The URL (http[:]//onlinenow[.]co[.]in/) under investigation is hosted on IP address (184.168.114.89). We further noted that this IP address is also actively hosting multiple fake SBI netbanking login pages.

Fig5:- Multiple fake SBI pages hosted on IP

Cybercriminals have designed these websites to harvest the users credentials.

Diving Deeper

For our research, we have used dummy data to test this website.

Fig6:- Dummy Credentials populated

We have entered the dummy credentials and clicked on login button, the website asked for OTP. These ‘OTP’ popups are planted to deceive the users.

Fig7:- Random OTP populated

We have entered a random OTP (1234), later it takes us to the new page, where it asks for Account Holder Name, Mobile Number and Date of Birth. Later, we filled dummy details and submitted the form.

Fig8:- Dummy details populated

The website asks for an OTP, which we never received on the mobile number. However we submitted a random OTP again, but it refreshes the website and take us to the same OTP page repetitively.

Fig9:- Website processing data, after entering the account details / Fig10:- OTP page after account details submitted

We have also noted that the fake login page start’s with ‘http’, which means it is not a secure website or page. If the user enters any details like- username, passwords, and other PII details, it will be easily visible in plain text to the cybercriminals.

Fig11:- HTTP ‘Request’ captured to show the credentials in plain text

Dissecting the sender mobile number

Upon analysing the sender mobile number (+918597859710), we noted that the phone number is valid and assigned to the telephone carrier Reliance Communication (CDMA) located in Jharkhand, India.

Furthermore, the number has been also reported as SBI Phishing Scam.

Conclusion

There are high chances that cybercriminals have made these websites to gather critical and important PII (Personal Identifiable Information) of the users. Cybercriminals use these PII to impersonate the victim and leverage financial benefits like- getting a card issued from the bank in the victim’s name or victim’s date of birth might be one of the security questions while logging in their bank account which the cybercriminals can utilise to their advantage.

Lessons Learnt

We have listed some essential best practices that create the first line of control against these type of fraudulent attempts. We recommend our readers to follow the best practices given below:-

  1. Do not panic, once you receive these kind of messages or calls — Verify all the sender details before trusting a message/call, which deals with asking any personal information from you.
  2. Always cross verify with your bank that whether they have sent any communication to you regarding ‘updating KYC’ or ‘link your Aadhar card’ or ‘blocking your Account’.
  3. Avoid clicking on any links, which you receive through SMS, as these URLs might be harmful.
  4. Look for official bank distro or shortcodes of the sender, as bank do not send SMS from a public mobile number.
  5. Look for urgency in the message received, like- if you don’t do this your account will get blocked or suspended etc.
  6. Look for padlock symbol at the starting of the URL, if you don’t find that then its suspicious or insecure site.
  7. Immediately report any such suspicious messages or calls to bank.

Observeables-

  1. 184.168.114.89
  2. hxxp[:]//onlinenow.co.in/
  3. hxxp[:]//mail.onlinenow.co.in
  4. hxxp[:]//xyz.plko.xyz/
  5. hxxp[:]//abc.plko.xyz/
  6. hxxp[:]//abc.walk1234.com/
  7. hxxp[:]//xyz.walk1234.com/
  8. +918597859710

About Us

Security Chronicle is a team of independent security researchers and a dedicated platform to educate, aware netizens on #security #risks & #threats.

Twitter LinkedIn

darkweb
cybercrime

Leave a Reply

Your email address will not be published. Required fields are marked *