‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks

FireEye Labs recently discovered a malicious phishing domain designed
to steal a variety of information – including credentials and mobile
numbers – from customers of several banks in India. Currently, we have
not observed this domain being used in any campaigns. The phishing
websites appear to be in the earlier stages of development and through
this post we hope users will be able to identify these types of
emerging threats in the future.

FireEye phishing
detection technology
identified a newly registered domain,
“csecurepay[.]com”, that was registered on Oct. 23, 2016. The website
purports to offer online payment gateway services, but is actually a
phishing website that leads to the capturing of victim logon
credentials – and other information – for multiple banks operating in India.

Prior to publication, FireEye notified the Indian Computer Emergency
Response Team.

Phishing Template Presentation and Techniques

Step 1

URL: hxxp://csecurepay[.]com/load-cash-step2.aspx

When navigating to the URL, the domain appears to be a payment
gateway and requests that the user enter their bank account number and
the amount to be transferred, as seen in Figure 1. The victim is
allowed to choose their bank from a list that is provided.

Figure 1: Bank information being requested

By looking at the list, it is clear that only Indian banks are being
targeted at this time. A total of 26 banks are available and these are
named in the Appendix.

Step 2

URL:  hxxp://csecurepay[.]com/PaymentConfirmation.aspx

The next website requests the victim to enter their valid 10-digit
mobile number and email ID (Figure 2), which makes the website appear
more legitimate.

Figure 2: Personal information being requested

Step 3

The victim will then be redirected to the spoofed online banking
page of the bank they selected, which requests that they log in using
their user name and password. Figure 3 shows a fake login page for
State Bank of India. See the Appendix for more banks that have spoofed
login pages.

Figure 3: Fake login page for State Bank of India

After entering their login credentials, the victim will be asked to
key in their One Time Password (OTP), as seen in Figure 4.

Figure 4: OTP being requested

Step 4

URL: hxxp://csecurepay[.]com/Final.aspx

Once all of the sensitive data is gathered, a fake failed login
message will be displayed to the victim, as seen in Figure 5.

Figure 5: Fake error message being displayed

Credit and Debit Card Phishing Website

Using the registrant information from the csecurepay domain, we
found another domain registered by the phisher as “nsecurepay[.]com”.
The domain, registered in latest August 2016, aims to steal credit and
debit card information.

The following are among the list of cards that are targeted:

1.     ICICI Credit Card

2.     ICICI Debit Card

3.     Visa/Master Credit Card

4.     Visa/Master Debit Card

5.     SBI Debit Card Only

At the time of this writing, the nsecurepay website was producing
errors when redirecting to spoofed credit and debit card pages. Figure
6 shows the front end.

Figure 6: Nsecurepay front end

Conclusion

Phishing has its own development lifecycle. It usually starts off
with building the tools and developing the “hooks” for luring victims
into providing their financial information. Once the phishing website
(or websites) is fully operational, we typically begin to see a wave
of phishing emails pointing to it.

In this case, we see that phishing websites have been crafted to
spoof multiple banks in India. These attackers can potentially grab
sensitive online banking information and other personal data, and even
provided support for multifactor authentication and OTP. Moreover,
disguising the initial presentation to appear as an online payment
gateway service makes the phishing attack seem more legitimate.

FireEye Labs detects this phishing attack and customers will be
protected against the usage of these sites in possible future campaigns.

Appendix

Fake login pages were served for 26 banks. The following is a list
of some of the banks:

-Bank of Baroda – Corporate

-Bank of Baroda – Retail

-Bank of Maharashtra

-HDFC Bank

Figure 7: HDFC Bank fake login page

-ICICI Bank

-IDBI Bank

-Indian Bank

-IndusInd Bank

-Jammu and Kashmir Bank

-Kotak Bank

-Lakshmi Vilas Bank – Corporate

-Lakshmi Vilas Bank – Retail

-State Bank of Hyderabad

-State Bank of India

-State Bank of Jaipur

-State Bank of Mysore

-State Bank of Patiala

-State Bank of Bikaner

-State Bank of Travancore

-Tamilnad Mercantile Bank

-United Bank of India

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog