Indian banking customers are being targeted by a new type of phishing attack using the ngrok platform (a web service provider). The malicious actors have abused the ngrok platform to host phishing websites impersonating internet banking portals of Indian banks. Using these phishing websites, malicious actors are collecting sensitive information of the customers like internet banking credentials, mobile number and one time password (OTP) to perform fraudulent transactions.
In a warning, the Indian Computer Emergency Response Team (CERT-In) says, the scammers are sending SMS to customers with embedded phishing links ending with ngrok.io/xxxbank.
A sample message appears like this...
Once the customer clicks on the URL give in above message and login to the phishing website using their Internet banking credentials, the scamster generates an OTP as two factor authentication (2FA) which is delivered to customer’s phone number.
When the customer enters the OTP in the phishing site, the scammer captures it and then gains access to the victim’s account using the OTP and performs fraudulent transactions.
ngrok is a reverse proxy that creates a secure tunnel from a public endpoint to a locally running web service. ngrok creates a tunnel from the public internet http://.ngrok.io to a port on the local machine (here on the scammer's machine). The auto-generated URL can be shared with anyone to give them access to the local development environment (read: the scammer can see all details being filled by the victim on his machine).
CERT-In says bank customers in India must follow certain precautions when they receive such message and should never click on any link given there. Further it asks customers to refrain from filling out internet banking credentials on these websites.
Here are the best practices recommended by CERT-In to protect customers from this new type of phishing attack...
• Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
• Look for suspicious numbers that don't look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender ID (consisting of bank's short name) instead of a phone number in sender information field.
• If you get a message that appears to be from your bank or other financial institution, contact that bank directly to determine if they sent you a legitimate request.
• Exercise caution while opening email attachments.
• Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate.
• Install and maintain updated anti-virus and antispyware software.
• Consider using safe browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.
• Update spam filters with latest spam mail contents.
• Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
• Pay particular attention to any misspelling and/or substitution of letters in the URLs of the websites they are browsing.
• Look out for valid encryption certificates by checking for the green lock in the browser's address bar, before providing any sensitive information such as personal particulars or account login details.
• Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device's manufacturer or operating system app store.
Customer should report any unusual activity in their account immediately to the respective bank. Phishing websites and suspicious messages should be reported to CERT-In (at [email protected]
) and the respective banks with the relevant details for taking further appropriate actions.