FireEye Labs recently discovered a malicious phishing domain designed
to steal a variety of information – including credentials and mobile
numbers – from customers of several banks in India. Currently, we have
not observed this domain being used in any campaigns. The phishing
websites appear to be in the earlier stages of development and through
this post we hope users will be able to identify these types of
emerging threats in the future.
detection technology identified a newly registered domain,
“csecurepay[.]com”, that was registered on Oct. 23, 2016. The website
purports to offer online payment gateway services, but is actually a
phishing website that leads to the capturing of victim logon
credentials – and other information – for multiple banks operating in India.
Prior to publication, FireEye notified the Indian Computer Emergency
Phishing Template Presentation and Techniques
When navigating to the URL, the domain appears to be a payment
gateway and requests that the user enter their bank account number and
the amount to be transferred, as seen in Figure 1. The victim is
allowed to choose their bank from a list that is provided.
Figure 1: Bank information being requested
By looking at the list, it is clear that only Indian banks are being
targeted at this time. A total of 26 banks are available and these are
named in the Appendix.
The next website requests the victim to enter their valid 10-digit
mobile number and email ID (Figure 2), which makes the website appear
Figure 2: Personal information being requested
The victim will then be redirected to the spoofed online banking
page of the bank they selected, which requests that they log in using
their user name and password. Figure 3 shows a fake login page for
State Bank of India. See the Appendix for more banks that have spoofed
Figure 3: Fake login page for State Bank of India
After entering their login credentials, the victim will be asked to
key in their One Time Password (OTP), as seen in Figure 4.
Figure 4: OTP being requested
Once all of the sensitive data is gathered, a fake failed login
message will be displayed to the victim, as seen in Figure 5.
Figure 5: Fake error message being displayed
Credit and Debit Card Phishing Website
Using the registrant information from the csecurepay domain, we
found another domain registered by the phisher as “nsecurepay[.]com”.
The domain, registered in latest August 2016, aims to steal credit and
debit card information.
The following are among the list of cards that are targeted:
1. ICICI Credit Card
2. ICICI Debit Card
3. Visa/Master Credit Card
4. Visa/Master Debit Card
5. SBI Debit Card Only
At the time of this writing, the nsecurepay website was producing
errors when redirecting to spoofed credit and debit card pages. Figure
6 shows the front end.
Figure 6: Nsecurepay front end
Phishing has its own development lifecycle. It usually starts off
with building the tools and developing the “hooks” for luring victims
into providing their financial information. Once the phishing website
(or websites) is fully operational, we typically begin to see a wave
of phishing emails pointing to it.
In this case, we see that phishing websites have been crafted to
spoof multiple banks in India. These attackers can potentially grab
sensitive online banking information and other personal data, and even
provided support for multifactor authentication and OTP. Moreover,
disguising the initial presentation to appear as an online payment
gateway service makes the phishing attack seem more legitimate.
FireEye Labs detects this phishing attack and customers will be
protected against the usage of these sites in possible future campaigns.
Fake login pages were served for 26 banks. The following is a list
of some of the banks:
-Bank of Baroda – Corporate
-Bank of Baroda – Retail
-Bank of Maharashtra
Figure 7: HDFC Bank fake login page
-Jammu and Kashmir Bank
-Lakshmi Vilas Bank – Corporate
-Lakshmi Vilas Bank – Retail
-State Bank of Hyderabad
-State Bank of India
-State Bank of Jaipur
-State Bank of Mysore
-State Bank of Patiala
-State Bank of Bikaner
-State Bank of Travancore
-Tamilnad Mercantile Bank
-United Bank of India
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog