Work from Home Smishing campaign targeting Indian netizens to lose huge amount

Since the COVID-19 pandemic has hit the world, work from home model has given a new way to continuing the business, whether its Corporate, Educational institutes, Governments, everyone has started doing Work from Home. Simultaneously, it has given a new way to cybercriminals to commit the crime.

Since last one month, Our team has been monitoring a similar campaign, where cybercriminals are targeting users with Phishing Messages (Smishing) and claiming to get a job and earn money by doing ‘work from home’.

One of our team member has received phishing messages on both WhatsApp and Text message, where cybercriminals claiming to be HR, and they have noticed the user is eligible for home based Job, later asking the user to connect with them on a WhatsApp number.

We tried to connect with 3 such Cybercriminals, as job aspirants. All 3 cybercriminals have shared a website to complete the registration process and get a job.

First scenario – A WhatsApp Smishing message claiming to get a home based job of upto ₹20,000 per Day. Apply via WhatsApp Chat.

We clicked on the chat link mentioned on the message and started further communication. The Cybercriminal was claiming that user will get ₹8000 per day working for 30 minutes only. We said “YES” to it. Cybercriminal asked us to register on a website (hxxps://www.ppur8[.]com) and get ₹60 as soon as we signup. Cybercriminal also request to share the screenshot once we register to the website, so that they we will teach us the work.

Second scenario – In an another WhatsApp Smishing message claiming to get a home based job and earn ₹20,000 per day. Apply via WhatsApp chat.

We again interacted to Cybercriminals via WhatsApp chat mentioned on the message. Cybercriminals claimed that “they help merchants increase sales to earn commissions”. They also claimed us to register on a mall website (hxxps://www.my5589[.]in) and later we will get a reward (₹50–1000) based on cloud system registration.

Third scenario – A Smishing text message claiming to get a home based labor and get up to ₹20,000 per day. Connect via WhatsApp chat.

We connected with Cybercriminals via WhatsApp chat mentioned on the text message. They were claiming us to work part-time for 10–30 minutes on the platform between 09:30 am to 09:30 pm, and get paid. Cybercriminals also claimed the Platform is a “RTL-Mall brusing platform helps major shopping malls brush good reviews”. Later asking us to register on a website (hxxps://www[.]my5589[.]in/Public/reg/yqm/903406).

Note:- The user can only join the website with a invite code, which cybercriminals will share on the WhatsApp chat.

Diving Deep

We first started our investigation by analysing the company information, mentioned on the websites:-

1. hxxps://www.ppur8[.]com
2. hxxps://www.my5589[.]in

Both the website claiming to be part of a business registered as RACHIKA TRADING LIMITED (U51101MH2014PTC254277) started in 2014 and headquartered at Mumbai & Bangalore. Websites also claiming to have more than 1,00,000 active members. Moreover, both the websites declare their business as “a third-party online ordering system, which co-operates with existing shopping merchants (Paytm Mall, Ebay, Flipkart, Snapdeal, IndiaMart, Myntra)”.

We did some analysis on “RACHIKA TRADING LIMITED” using some open source tools like Ministry of Corporate Affairs company check portal, zaubacorp[.]com, and thecompanycheck[.]com websites. The findings on the websites confirmed the below points:-

1. The company was incorporated on 13/03/2014.
2. The Company’s current status is Active, and filed its Annual Returns up to 31 Mar 2021.
3. Directors of the company are ‘RAVIKANT ANWEKAR’ , ‘ROHIT MAHESH DALMIA’ , ‘VIJAI SINGH DUGAR’.
4. Email address identified as ‘cs@futurelifestyle[.]in’, a strange thing to note here is, the company has used email domain of Future Lifestyle Fashions Limited, which is a part of Future Group.

5. Registered Address identified as ‘Knowledge House, Shyam Nagar, Off Jogeshwari Vikhroli Link Road, Jogeshwari East Mumbai, Mumbai City, MH, 400060, IN’, under same address Future Lifestyle Fashions Limited has also been registered.

6. Furthermore, we did not find any relation between ‘RACHIKA TRADING LIMITED’ and ‘FUTURE LIFESTYLE FASHIONS LIMITED’. But, we do find relation between all the three Directors of RACHIKA TRADING LIMITED and FUTURE GROUP of companies.

Considering the above findings about the two firms, it is clearly evident that the firm (RACHIKA TRADING LIMITED) is registered illegally by the directors and is being used for fraudulent activities.

Additionally, we shifted our investigations into analysing the websites in detail:-

Once a user register to both the websites, user will be landed to a Home page which shows multiple tabs — Financial, Recharge, Withdrawal, Invite and Balance of ₹60.

If a user want to ‘withdraw’ the amount, user need to add his/her banking details on the website. We used “dummy data” to add the banking details, and submitted in the website, there are no ways in the website to verify the banking data. As these websites are designed to store or harvest banking information of the user and later abuse it for committing fraud.

After adding the banking details, we tried to withdraw the amount, but the website showing error as “Insufficient withdrawal balance”.

We also tried to explored the ‘Recharge’ tab in the website. Recharge tab is again a Trap, where it asks user to recharge the account with as minimum as ₹100 from UPI, and using multiple payment gateways.

We further analysed the Recharge options — after clicking on sunpay (as shown in above figures) it took us to Paytm App, where it is transferring the amount to Cybercriminals UPI accounts.

Other Recharge options (vpay, fastpay122 & 51pay-01) redirected us to payment gateway pages of AmmPay and FastPay.

We analysed the company “Atn hospitality services opc private limited”, which we identified while making UPI payment to UPI Id ‘paytm-71213406@paytm’. The company is registered as “One Person Company”, incorporated on 28/December/2020, and registered address is Plot No-350, Basement, Sec-19, Dwarka, South West Delhi, 110078, IN. The Directorship of the company is registered on ‘Sachin Kumar Jha’. Email address used is ‘ramolaconcultancy@gmail.com’.

Domain Analysis

We identified that both the domains (hxxps://www.ppur8[.]com, hxxps://www.my5589[.]in) are recently registered, under domain registrar ‘Dynadot’.

Both the ip addresses (96.43.104[.]165, 104.219.209[.]251) also hosting multiple spamming/phishing domains, which seems to be involved in similar kind of campaigns (see below figures).

After scanning all the websites/domains/ip addresses identified during the investigation, we noted that all of them were newly registered for the purpose of defrauding people, and we have also noted that people are reporting about this campaign on consumer complaints.

At last, we were able to conclude with moderate confidence that both the websites are used for spamming the users and collect user banking information and later trick users to transfer money to cybercriminals UPI accounts.

Even though we are investigating this campaign, cybercriminals are still active and targeting users with new Smishing message. And claiming to be from ‘siemens’ company and suggesting a work from home job.

We connected with Cybercriminals again via WhatsApp chat mentioned on the text message. They claimed to be Maria, Manager from “Siemens Gamesa”, an energy company based at Bangalore. Cybercriminals also claimed that ‘candidate has to use his/her mobile to start the power generation equipment in spare time everyday and daily 2000 to 10000 will be paid’. We can see here, ‘incorrect english’ has been used in the WhatsApp chat messages. And shared a new link (hxxps://www.siemenss[.]shop/h5/register?icode=630691) to register.

Conclusion

There are high chances that cybercriminals have made these websites to gather critical information and PII (Personal Identifiable Information) of the users. The stolen/harvested credentials or information could be used by cyber criminals for conducting other malicious activities like:-

1. Brute Forcing — using harvested credentials from the above websites on users email and social media accounts to forcefully login.
2. Account Takeover Frauds — using harvested banking information to take over the victims account.
3. Financial Frauds — create a persona of the victim using stolen banking information and commit financial crime.

Lessons Learnt

We have listed some essential best practices that create the first line of control against these type of fraudulent attempts. We recommend our readers to follow the best practices given below:-

1. Avoid clicking on any links, which you receive through SMS/WhatsApp chat, as these URLs might be harmful.
2. Look for attractive offering and fake claims in the message received, like- “earn money”, “workfromhome”, “work for 2 hours and earn X amount”, etc. to avoid falling for the fraudsters lure.
3. Verify all the sender information before trusting a message, which deals with asking any personal information from you or clicking to a link.
4. Look for spelling errors and incorrect use of grammar in the text messages or WhatsApp chats.
5. Install a good Anti-virus for mobile to scan any suspicious links.
6. Immediately report any such suspicious text messages or WhatsApp chats to your nearest Police cyber cell or register a online complaint at https://www.cybercrime.gov.in/ or Dial 1930 from your phone.

Whats Next?

We would highly recommend to all the law enforcement and cyber safe agencies to immediately block the below observables from network level and take further actions to safeguard netizens from these campaigns.

Observables

IP Address

1. 96.43.104[.]165
2. 104.219.209[.]251
3. 104.21.18[.]150
4. 172.67.182[.]158
5. 154.39.149[.]40
6. 192.124.249[.]83
7. 103.251.113[.]152

Domain

1. my5589[.]in
2. ppur8[.]com
3. uka189[.]in
4. siemenss[.]shop

Payment Gateways

1. hxxps://upi.payplus[.]live/pay/plus/vpa2.html?orderId=165607566567657&token=03ac9f7b580f4f67bc4d363ac66f52501656075665755
2. hxxps://pay.fast8811[.]com/steputr?o=1540320465562923009&t=8&a=200&p=1
3. hxxps://payment.ammcinrpay[.]com/order-pending?orderId=20220624184040218619&mchId=39051084513

UPI Accounts

1. stayspeedy@indus
2. paytmqr2810050501011metnkjq2kgj@paytm
3. paytm-71213406@paytm

Companies and Directors

1. RACHIKA TRADING LIMITED — RAVIKANT ANWEKAR, ROHIT MAHESH DALMIA, VIJAI SINGH DUGAR
2. ATN HOSPITALITY SERVICES OPC PRIVATE LIMITED — SACHIN KUMAR JHA

Phone Numbers

1. +91-7814660620
2. +91-8303547664
3. +91-8789900593
4. +91-7350050962
5. +91-8146920636

This investigation is a part of an independent research which we do on a frequent basis to keep internet a safer place.

Security Chronicle is a team of independent security researchers and a dedicated platform to educate, aware netizens on #security #risks & #threats.

Similar blog is available for our Hindi readers.

Twitter | LinkedIn