Beware! SMS for Income Tax Refund with Links is Fraud; Users Are Lured to Fake Sites of I-T Dept, SBI, ICICI Bank, Axis Bank, PNB and HDFC Bank
Suspicious messages asking users to submit a refund application for the disbursement of income tax (I-T) refund have been doing the rounds, with a link that directs users to a webpage looking like the I-T e-filing web page. An investigation by CyberPeace Foundation along with Autobot Infosec Private Ltd reveals that similar looking but fake websites of five banks, State Bank of India (SBI), ICICI Bank, Axis Bank, Punjab National Bank (PNB) and HDFC Bank, are used to collect all personal and financial data. Further, an app gets installed on the user's Android mobile device, which asks for administrator rights and takes full control for duping.
"All internet protocol (IP) addresses associated with the campaign belong to some third party dedicated cloud hosting providers. The whole campaign uses plain http protocol instead of the secure https. This means anyone on the network or internet can intercept the traffic and get the confidential information in plain text to misuse against the victim. It collects unnecessary personal data as well as financial information from the users. It asks users to download an application from a third-party source instead of Playstore. The application asks to provide administrator rights and unnecessary access permissions of the device," the release says.
Here are key findings of the analysis...
(The information mentioned here has been extracted during the investigation, information might be changed after generating the reports.)
On clicking the green 'Proceed to the verification steps' button, users are asked to submit personal information such as Full name, PAN, Aadhar number, Address, Pincode, Date of birth, Mobile number, Email address, Gender, Marital Status and banking information like Account number, IFSC code, Card Number, Expiry date, CVV/CVC and Card PIN. Additionally, the bank name is automatically detected from the IFSC code entered in the form (For the purpose of entering dummy data, the bank name used was State Bank of India)
After submission of data, users are redirected to a page where they are asked to confirm the entered data.
Clicking on the green 'confirm' button directs users to a State Bank of India internet banking login page almost like the official one. It was hosted on the same IP 78.138.107[.]132 which was not linked to the State Bank of India internet banking domain in any way. It asks for the username and password for online banking.
After these details are entered, for the next step, users are asked to enter a Hint question, Answer, Profile password and CIF number. Once submitted, a mobile verification section with instructions provided to download an android application (.apk file) appears, to complete the ITR verification.
Here, in the third point, users are deliberately instructed to grant all device permissions to the particular application.
The application, called Certificate.apk, starts downloading upon clicking the green 'Download' link.
Every time the link http://204.44.124[.]160/ITR is opened, users are redirected to different URLs with the same content and after some time, these respective URLs expire.
The IP addresses are associated with the following countries- The United States of America and France.
As mentioned before, the campaign automatically detected the bank name as State Bank of India from the IFSC code, and thus, redirected to the State Bank of India internet login website.
This was tested and confirmed with four other famous banks- ICICI, HDFC, Axis Bank and Punjab National Bank by tweaking the prefix part of the IFSC code.
Similar types of phishing pages related to the login credential and account details appeared for the respective banks. All the pages collect account related information like username, password, mPIN, security questions etc and after the details are provided, the user is taken to the 'MOBILE VERIFICATION' page mentioned earlier. This happens irrespective of whichever bank the user selects.
Some of the directories have also been found with the names of axis, hdfc, icici, netpnb and sbi.
The online bank phishing pages previously mentioned could be reached by visiting those directories manually.
Source code analysis revealed that the webpage is borrowed from some other source using the iframe tag of HTML. In this case, the contents of the webpage were being fetched from bachir[.]com. Another domain- gardenmeetsgeek[.]com was also found as the iframe source.
The title image of the landing page is "e-filing Home Page, Income Tax Department, Government of India".
The header and the navbar section masquerade as a menu area that contains the links of certain pages via which users can reach the respective pages, but in reality, no links are actually embedded in the background. This can be verified from the source code where the values of href are set to '#' instead of the respective URLs.
After the app- Certificate.apk- is opened, users are asked to enable or activate the application by giving device administrator rights to the app as a necessary step to complete the ITR verification process. This caution message can also be noticed- "Activating this admin app will allow the app certificate to perform the following operations: Erase all data Lock the Screen".
After selecting 'Activate this device admin app', it asks for multiple device permissions such as contact details, phone call details, send and view SMS messages etc.
After the access is granted, a prompt for another permission for changing the default SMS messaging app also appears.
Users are then prompted for a Mobile Verification, and after the number used to register and one of the codes assigned in the Mobile Verification page on the website are entered and verified, a sign in message appears.
On clicking the 'SIGN IN' button, a fake google account login page appears asking users to provide account credentials. The email ID used during the registration on the website is automatically picked up.
There is no background verification method to verify the credentials entered.
After clicking on the 'SIGN IN' option, a 'critical system update' installation with a progress bar and percentage is displayed.
The permissions are used by the app to perform required operations such as getting the SMS details, getting phone call log details and some particularly dangerous permissions such as full_screen_intent, foreground_service, send_sms, package_usage_stats.
The call log information and the SMS of registered number are sent to host fcm[.]point2this[.]com. This means that the host behaves like a Command and Control (CnC) for the application. point2this[.]com is a domain name offered by no-ip dynamic DNS service.
Details regarding the activation status of the application is sent to the server in encoded form, which is not readable by normal users. Decoding the content revealed status details of the device such as timestamp, mobile number and verification code are sent in an encoded form.
After the data is validated, a token, fid, name etc is provided as a response. Noticing the patterns of the parameters, it seems that in the background, a firebase infrastructure was being used.
According to CyberPeace Foundation, all IP addresses associated with the campaign belong to some dedicated cloud hosting providers and the overall layout and functionalities of the web page used in the campaign are similar to the official e-filing site to lure laymen.
It says, The campaign is collecting personal as well as banking information from the user. Getting into this type of trap could cause massive financial loss for the users. In the last step, it asks users to download an application from a third-party source. The application asks to provide administrator rights and unnecessary access permissions of the device. Agreeing to this could be a dangerous decision as it sends sensitive information of the user to a remote destination in the background. The device can be remotely handled by the cybercriminals.
How not to become victim of this fraud...
CyberPeace Foundation recommends that people should avoid opening such messages sent via social platforms. One must always think before clicking on such links or downloading any attachments from unauthorised sources. one of the ways to verify legitimacy is to look at the URL bar and see if the website uses HTTPS.
There may be other indicators like a shabbily made website, improper language unusual information being asked for etc.
Additionally, it is best to open banking or any other financial services website directly by typing in the URL into the address bar or through the legitimate mobile app downloaded from the Playstore.
Especially when asked to share or type in confidential information such as your OTPs, bank account details, and Aadhaar number, users should pay more attention and caution.
Falling for this trap could lead compromising of the whole system (access to microphone, camera, text messages, contacts, pictures, videos, and banking applications) as well as financial loss to the users. Users must always think before clicking on such links, or downloading any attachments from unauthorised sources.
CyberPeace Foundation says, at the central level government should try to look at setting up filters for such messages so that they can be marked spam add the origin. Additionally, it says, platforms that are not end to end encrypted can also monitor traffic for such kind of spam messages.
Hosting service providers should also set up filters for things like frame analysis, by way of which it is also possible to detect similar fishing campaigns using a known modus-operandi, it added.
Read more from the original source:
Beware! SMS for Income Tax Refund with Links is Fraud; Users Are Lured to Fake Sites of IT Dept, SBI, ICICI Bank, Axis Bank, PNB and HDFC Bank -...
- Box for Android - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- eUKhost - eNlight Cloud Hosting! - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Computing -- Oracle is Ready to Take You There - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- What is Cloud Computing? - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Webinar - Cloud Computing: Why You Should Care - 2010-10-14 - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- What is Cloud Hosting? - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Computing Misconceptions and Benefits - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Hosting and How it is Set to Change Internet Commerce - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Awesome Cloud Computing Explained with Animation - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Rackspace Cloud Race - UK cloud hosting - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Improved Cloud Service Delivery And Hosting | IBM - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Computing Explained - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Software companies turn to Savvis for cloud hosting and other SaaS services - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Sky News Tech Report on Cloud Computing - Macquarie Telecom Interview - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- BitNami Cloud Hosting Demo - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Fully managed Cloud Computing solution using your current IT infrastructure (Closed Caption) - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Hosting Server Provisioning - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- iomart Hosting Provides Cloud Storage and Backup for new Branding Network [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Harris plans to stop offering remote cloud hosting [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- iomart Hosting provides cloud storage and backup for new UK branding network [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- DynamicOps Debuts "Fastest Path to Cloud" Seminar and Webinar [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Harris Corporation to Discontinue Cyber Hosting Operation; Will Continue Providing Advanced Cyber Security and Cloud ... [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Tutorial! Amazon Cloud Minecraft Server Hosting! - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- MachPanel 4.3 - SaaS and Cloud Hosting Control Panel for Windows - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Webair Carrier Neutral Cloud: Open Network Access in the Cloud [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- iomart Hosting Takes UK Digital Media Agency Into the Cloud [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- FireHost Grows Executive Team on Heels of European Expansion; Appoints Jim Ciampaglio as Sr. Vice President of Global ... [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- INetU Managed Hosting is SOC 2 and SOC 3 Compliant [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Web Host Webair Adds Carrier Neutral Cloud Services [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- FireHost Appoints Jim Ciampaglio as Sr. Vice President of Global Sales and Marketing [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- BitRock CEO on BitNami Cloud Hosting - Video [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Harris kills remote hosting service as customers shun cloud storage [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Understand Cloud computing in 60secs - Video [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Systech Integrators® Forms Strategic Relationship With Rackspace Hosting® to Offer Cloud Hosting Services for SAP® ... [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Dedicated & Cloud Hosting Provider Codero Names Industry Veteran Emil Sayegh, President & CEO [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Cloud Computing and Technology Mobility - Video [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Cloud Hosting Providers - Video [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- Online Education Innovator Gives Virtual Internet Cloud Services an A+ [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- SingleHop Introduces the Hosting Industry's First Customer Bill of Rights [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- Cloud Services Provider Intermedia Launches Integrated Partner Program [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Cloud Services Provider Intermedia Now Offering Microsoft Office 365 [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Inside IT Cloud Computing Security - Video [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Lansing Cloud Host Introduces Faster ‘Storm SSD’ [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Leading Industry Analyst Firm positions Hosting.com as a Challenger in Managed Hosting Magic Quadrant [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- Hosting.com Positioned as Challenger in Managed Hosting in Gartner's Magic Quadrant [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- ServInt Announces the First Finalist for Its Inaugural Sextant Award, Recognizing the Most Effective Use of the ... [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- Leading Analyst Firm Recognizes Savvis as a Leader in Two Cloud-Focused Magic Quadrants [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- UK Cloud Computing Company iomart Hosting Recruits Scotland Footballers to Kick off New Campaign [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- Rackspace Hosting Positioned as a Leader in the Leaders Quadrant of the Magic Quadrant for Managed Hosting Providers [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- 4t Networks Offers Red Hat Enterprise Linux 6 for Cloud Hosting [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- elchemyv2.wmv - Video [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- Steve VanRoekel Keynote, NIST Cloud Computing Forum and Workshop IV - Video [Last Updated On: March 11th, 2012] [Originally Added On: March 11th, 2012]
- Hosting.com Enhances Backup Capabilities to Deliver Leading-Edge Data Recovery Solution for Businesses Any Size ... [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Online Tech Hosts Webinar on Cloud Computing in EHR/RCM Systems [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Hosting.com Enhances Backup & Data Recovery [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- ServInt Introduces Its New Flex Line of High-Performance, Fully Managed Dedicated Servers [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- Telefonica targets LatAm with business cloud [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- TCWH Announces New InMotion Hosting Review 2012 [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- Lokahi Expands Cloud Offering to Include Managed Security Services Through Partnership With StillSecure [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Eco Cloud Hosting IPv6 Ready with Web Application Firewall and Load Balancer - Video [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Private SharePoint Cloud Beats Other Cloud Hosting Options for Enterprises on Price, Practicality [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- Private SharePoint Cloud Beats Other Cloud Hosting Options for Enterprises, Says AISN [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- CaymanSecurity.com Introduces Secure Cloud Hosting Services [Last Updated On: March 19th, 2012] [Originally Added On: March 19th, 2012]
- Storm On Demand Introduces Windows Cloud Hosting [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- Citrix Streamlines Delivery of Cloud-Hosted Apps and Desktops [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- Cloud Computing Explained.mp4 - Video [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- AMD Opteron 3200 Chips Target Cloud, Web Hosting [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- Understanding the Cloud Computing Stack: SaaS, PaaS and IaaS | CloudU - Video [Last Updated On: March 21st, 2012] [Originally Added On: March 21st, 2012]
- Racemi Joins Rackspace Cloud Tools Program [Last Updated On: March 22nd, 2012] [Originally Added On: March 22nd, 2012]
- iNetRadio Adds User Music Cloud Hosting [Last Updated On: April 18th, 2012] [Originally Added On: April 18th, 2012]
- Managed Hosting Company, OneNeck IT Services, Selected by Southwest Home Builder for Cloud Services [Last Updated On: April 18th, 2012] [Originally Added On: April 18th, 2012]
- What is Cloud Hosting? - Australian Cloud Hosting Providers - Video [Last Updated On: April 18th, 2012] [Originally Added On: April 18th, 2012]
- Courion Leverages NaviSite's Enterprise Cloud to Deliver Identity and Access Management Software-as-a-Service [Last Updated On: April 24th, 2012] [Originally Added On: April 24th, 2012]
- TLD Solutions Launches Next Generation "4GH" Web Hosting [Last Updated On: May 4th, 2012] [Originally Added On: May 4th, 2012]
- ElasticHosts unveils simple cloud web hosting for SMEs [Last Updated On: May 4th, 2012] [Originally Added On: May 4th, 2012]
- Rackspace Hosting 1Q net income up on higher sales [Last Updated On: May 8th, 2012] [Originally Added On: May 8th, 2012]
- Infinitely Virtual Announces Support for Microsoft SQL Server 2012, Providing Cloud-Ready Hosting with Mission ... [Last Updated On: May 8th, 2012] [Originally Added On: May 8th, 2012]
- Kore Domains Launches Revolutionary New "4GH" Web Hosting Solution [Last Updated On: May 8th, 2012] [Originally Added On: May 8th, 2012]
- 4GH Web Hosting Europa Launches 4GH Cloud Web Hosting Solution in European Data Center [Last Updated On: May 10th, 2012] [Originally Added On: May 10th, 2012]
- Hughes Cloud Services & Hosting Showcases Its Comprehensive Enterprise IT Offering At ... [Last Updated On: May 12th, 2012] [Originally Added On: May 12th, 2012]