The Research Wing of CyberPeace Foundation along with Autobot Infosec Pvt. Ltd. studied two incidents on the name of the State Bank of India that were recently faced by some smartphone users.
The incident include text messages asking users to update their SBI bank KYC using a particular link and another one on receiving free gifts from the State Bank of India as a WhatsApp message.
The Research Wing of CyberPeace Foundation along with Autobot Infosec Private Limited have looked into this matter to reach a conclusion that the website is either legitimate or an online fraud.
In the first case of the text message requesting KYC verification, the landing page that appears resemble to the official SBI Online page retail.onlinesbi.com/retail/login.htm.
On clicking the “CONTINUE TO LOGIN” button it redirects the user to /full-kyc.php page asking confidential information like Username, Password and a Captcha in order to login to the online banking. Following this, it asks for an OTP sent to the user’s mobile number.
As soon as the OTP is entered, it redirects the user to /acholder.php page that asks the users to enter some confidential information again like account holder name, mobile number, date of birth. After entering the data it redirects the user to an OTP page.
The research team noticed that on clicking anywhere in the landing page it redirects to the /full-kyc.php page whereas users should be redirected only if they click on the “CONTINUE TO LOGIN” button. It means users are deliberately forced to reach to the /full-kyc.php and provide the confidential information.
The URL manipulation showed that the web server has directory listing enabled and found other links visible which proves that not only the SBI users, IDFC, PNB, Indusland, Kotak bank users are also targeted by the same type of Phishing scam.
The research team came to a conclusion that the campaign is pretended to be launched from State Bank of India but hosted on the third party domain instead of the official website www.onlinesbi.com which makes it more suspicious.
Overall layout of the web page used in the campaign is kept similar to the official SBI net banking site to lure laymen.
The campaign is collecting banking information like Username, Password, Account Holder Name, Mobile Number, Date of birth from the user. Getting into this type of trap could lead the users to face a massive financial loss.
The whole campaign uses plain http protocol instead of the secure https. This means anyone on the network or internet can intercept the traffic and get the confidential information in plain text to misuse against the victim.
Cybercriminals used ngrok technology to hide the real IP address of the hosting site to be anonymous.
In the second case of luring users to winning attractive free gifts, it was found that the WhatsApp message redirects the user to the link which shows as below.
On the landing page a congratulations message appears with an attractive photo of State Bank of India and asks users to participate in a quick survey to get a free gift of INR 5000000 from the State bank of India. Also at the bottom of this page a section comes up which seems to be a Facebook comment section where many users have commented about how the offer is beneficial.
The survey starts with some basic questions like Do you want a gift, How old are you, How do you rate State Bank of India services, Are you an adult etc. Once the user answers the questions a “congratulatory message” is displayed. After Clicking the OK button users are given three attempts to win the prize by a game that resembles a lucky draw by choosing from gift boxes on screen. After completing all the attempts it says that the user has won Rs. 5000000. Clicking on the ‘OK‘ button, it instructs users to share the campaign on WhatsApp. Strangely enough the user has to keep clicking the WhatsApp button until the progress bar completes. After clicking on the green ‘WhatsApp‘ button multiple times it shows a section where an instruction has been given to complete registration in order to get the prize. After clicking on the green ‘Complete registration’ button, it redirects the user to multiple advertisements web pages and it varies each time the user clicks on the button.
The in depth investigation shows that the campaign is pretended to be an offer from State Bank of India but hosted on the third party domain instead of the official website of State Bank of India which makes it more suspicious.
The Research teams have investigated the URLS in a secured sandbox environment where WhatsApp application was not installed. If any user opens the link from a device like smart phones where WhatsApp application is installed, the sharing features on the site will open the WhatsApp application on the device to share the link.
The prize is kept really attractive to lure the laymen.
All the domain names associated with the campaign have the registrant country as China.
Cybercriminals used Cloudflare technologies to mask the real IP addresses of the front end domain names used in this free gift from SBI campaign. But during the phases of investigation, the Research Team has identified a domain name that was requested in the background and has been traced as belonging to China.
CyberPeace Foundation recommends that people avoid opening such messages sent via social platforms. One must always think before clicking on such links, or downloading any attachments from unauthorized sources.
Falling for this trap could lead to whole system compromisation (Access to microphone, Camera, Text Messages, Contacts, Pictures, Videos, Banking Applications etc.) as well as financial loss for the users. One must always think before clicking on such links, or downloading any attachments from unauthorized sources.
Do not share confidential details like login credentials, banking information with such a type of scam.
Never share or forward fake messages containing links with any social platform without proper verification.