Suspicious messages asking users to submit a refund application for the disbursement of income tax (I-T) refund have been doing the rounds, with a link that directs users to a webpage looking like the I-T e-filing web page. An investigation by CyberPeace Foundation along with Autobot Infosec Private Ltd reveals that similar looking but fake websites of five banks, State Bank of India (SBI), ICICI Bank, Axis Bank, Punjab National Bank (PNB) and HDFC Bank, are used to collect all personal and financial data. Further, an app gets installed on the user's Android mobile device, which asks for administrator rights and takes full control for duping.
In a release, CyberPeace Foundation says, "The official website of Income tax e-filing is https://www.incometaxindiaefiling.gov.in/home
, which has the domain name ending with .gov.in that clearly indicates as government of India property, whereas the shared link with the SMS has no domain name and is not linked with the govt of India."
"All internet protocol (IP) addresses associated with the campaign belong to some third party dedicated cloud hosting providers. The whole campaign uses plain http protocol instead of the secure https. This means anyone on the network or internet can intercept the traffic and get the confidential information in plain text to misuse against the victim. It collects unnecessary personal data as well as financial information from the users. It asks users to download an application from a third-party source instead of Playstore. The application asks to provide administrator rights and unnecessary access permissions of the device," the release says.
Here are key findings of the analysis...
(The information mentioned here has been extracted during the investigation, information might be changed after generating the reports.)
• On clicking the green 'Proceed to the verification steps' button, users are asked to submit personal information such as Full name, PAN, Aadhar number, Address, Pincode, Date of birth, Mobile number, Email address, Gender, Marital Status and banking information like Account number, IFSC code, Card Number, Expiry date, CVV/CVC and Card PIN. Additionally, the bank name is automatically detected from the IFSC code entered in the form (For the purpose of entering dummy data, the bank name used was State Bank of India)
• After submission of data, users are redirected to a page where they are asked to confirm the entered data.
• Clicking on the green 'confirm' button directs users to a State Bank of India internet banking login page almost like the official one. It was hosted on the same IP 78.138.107[.]132 which was not linked to the State Bank of India internet banking domain in any way. It asks for the username and password for online banking.
• After these details are entered, for the next step, users are asked to enter a Hint question, Answer, Profile password and CIF number. Once submitted, a mobile verification section with instructions provided to download an android application (.apk file) appears, to complete the ITR verification.
• Here, in the third point, users are deliberately instructed to grant all device permissions to the particular application.
• The application, called Certificate.apk, starts downloading upon clicking the green 'Download' link.
• Every time the link http://204.44.124[.]160/ITR is opened, users are redirected to different URLs with the same content and after some time, these respective URLs expire.
• The IP addresses are associated with the following countries- The United States of America and France.
• As mentioned before, the campaign automatically detected the bank name as State Bank of India from the IFSC code, and thus, redirected to the State Bank of India internet login website.
This was tested and confirmed with four other famous banks- ICICI, HDFC, Axis Bank and Punjab National Bank by tweaking the prefix part of the IFSC code.
• Similar types of phishing pages related to the login credential and account details appeared for the respective banks. All the pages collect account related information like username, password, mPIN, security questions etc and after the details are provided, the user is taken to the 'MOBILE VERIFICATION' page mentioned earlier. This happens irrespective of whichever bank the user selects.
• Some of the directories have also been found with the names of axis, hdfc, icici, netpnb and sbi.
• The online bank phishing pages previously mentioned could be reached by visiting those directories manually.
• Source code analysis revealed that the webpage is borrowed from some other source using the iframe tag of HTML. In this case, the contents of the webpage were being fetched from bachir[.]com. Another domain- gardenmeetsgeek[.]com was also found as the iframe source.
• The title image of the landing page is "e-filing Home Page, Income Tax Department, Government of India".
• The header and the navbar section masquerade as a menu area that contains the links of certain pages via which users can reach the respective pages, but in reality, no links are actually embedded in the background. This can be verified from the source code where the values of href are set to '#' instead of the respective URLs.
• After the app- Certificate.apk- is opened, users are asked to enable or activate the application by giving device administrator rights to the app as a necessary step to complete the ITR verification process. This caution message can also be noticed- "Activating this admin app will allow the app certificate to perform the following operations: Erase all data Lock the Screen".
• After selecting 'Activate this device admin app', it asks for multiple device permissions such as contact details, phone call details, send and view SMS messages etc.
• After the access is granted, a prompt for another permission for changing the default SMS messaging app also appears.
• Users are then prompted for a Mobile Verification, and after the number used to register and one of the codes assigned in the Mobile Verification page on the website are entered and verified, a sign in message appears.
• On clicking the 'SIGN IN' button, a fake google account login page appears asking users to provide account credentials. The email ID used during the registration on the website is automatically picked up.
• There is no background verification method to verify the credentials entered.
• After clicking on the 'SIGN IN' option, a 'critical system update' installation with a progress bar and percentage is displayed.
• The permissions are used by the app to perform required operations such as getting the SMS details, getting phone call log details and some particularly dangerous permissions such as full_screen_intent, foreground_service, send_sms, package_usage_stats.
• The call log information and the SMS of registered number are sent to host fcm[.]point2this[.]com. This means that the host behaves like a Command and Control (CnC) for the application. point2this[.]com is a domain name offered by no-ip dynamic DNS service.
• Details regarding the activation status of the application is sent to the server in encoded form, which is not readable by normal users. Decoding the content revealed status details of the device such as timestamp, mobile number and verification code are sent in an encoded form.
• After the data is validated, a token, fid, name etc is provided as a response. Noticing the patterns of the parameters, it seems that in the background, a firebase infrastructure was being used.
According to CyberPeace Foundation, all IP addresses associated with the campaign belong to some dedicated cloud hosting providers and the overall layout and functionalities of the web page used in the campaign are similar to the official e-filing site to lure laymen.
It says, “The campaign is collecting personal as well as banking information from the user. Getting into this type of trap could cause massive financial loss for the users. In the last step, it asks users to download an application from a third-party source. The application asks to provide administrator rights and unnecessary access permissions of the device. Agreeing to this could be a dangerous decision as it sends sensitive information of the user to a remote destination in the background. The device can be remotely handled by the cybercriminals.”
How not to become victim of this fraud...
• CyberPeace Foundation recommends that people should avoid opening such messages sent via social platforms. One must always think before clicking on such links or downloading any attachments from unauthorised sources. one of the ways to verify legitimacy is to look at the URL bar and see if the website uses HTTPS.
• There may be other indicators like a shabbily made website, improper language unusual information being asked for etc.
• Additionally, it is best to open banking or any other financial services website directly by typing in the URL into the address bar or through the legitimate mobile app downloaded from the Playstore.
• Especially when asked to share or type in confidential information such as your OTPs, bank account details, and Aadhaar number, users should pay more attention and caution.
• Falling for this trap could lead compromising of the whole system (access to microphone, camera, text messages, contacts, pictures, videos, and banking applications) as well as financial loss to the users. Users must always think before clicking on such links, or downloading any attachments from unauthorised sources.
CyberPeace Foundation says, at the central level government should try to look at setting up filters for such messages so that they can be marked spam add the origin. Additionally, it says, platforms that are not end to end encrypted can also monitor traffic for such kind of spam messages.
“Hosting service providers should also set up filters for things like frame analysis, by way of which it is also possible to detect similar fishing campaigns using a known modus-operandi,” it added.