New Delhi: A huge phishing attack on Indian vehicle owners has been discovered, and it shows how cybercriminals are capitalising on the trust that people have in government transport services. Security researchers have already noted over 36 counterfeit e-Challan websites that are aimed at scamming banking and card information by masquerading as official Regional Transport Office (RTO) websites.
Cyble Research and Intelligence Labs (CRIL) discovered this operation and claims that the scam is in operation and growing. In contrast to previous attacks, which were based on Android malware, this campaign operates exclusively using web-based browsers, which simplifies the operation of scammers, who can reach a larger range of people. The attackers are also the ones utilising the Indian mobile numbers and bank-invested infrastructure to look legitimate and prevent suspicion.
How the scam targets vehicle owners
The attack will normally start with an SMS stating that a traffic challan is due. The message gives a serious threat of suspension of licence or legal proceedings. In order to establish urgency, it incorporates a condensed link which is similar to a real e-Challan site or Parivahan site.
The link sends the victims to a professionally cloned portal once they are clicked. The counterfeit site is very realistic and has governmental branding. It requires users to input details of the vehicles, after which it produces a realistic traffic violation history. There is no actual verification that occurs.
Fake challans and psychological traps
CRIL discovered that the portals generate the details of the challenges irrespective of the input that is made. The penalties are typically minor, approximately Rs 590, and have short-term time limits. This is a trick to minimise indecisiveness and compel the victims to pay fast.
The websites do not provide the UPI or net banking systems. Rather, they compel users to provide complete debit or credit cards. These are card number, expiry and CVV. Several times, victims may input their information unknowingly, and each time they do it, the data will be sent to the backend systems of the attackers.
Local infrastructure adds false trust
The use of local infrastructure makes this campaign even more convincing. The Indian mobile numbers that are registered with Reliance Jio are used to send the phishing SMS messages. Some of the figures were also associated with accounts of the State Bank of India by investigators.
Cyble asserts that this very act of using well-known telecommunication companies and government-owned banks maximises credibility. Victims will tend to trust messages which seem to be originating in India as opposed to those originating from foreign numbers or gateways.
Shared infrastructure across sectors
According to CRIL analysis, the same backend infrastructure is being reused in various scam themes. In addition to counterfeit e-Challan portals, the authors discovered phishing websites posing as HSBC payment sites and other logistics brands, including DTDC and Delhivery.
Overall, over 36 areas were discovered as the main operation. Other areas that emulate Parivahan services also were identified. Most of these sites seem to be auto-generated, which indicates that they keep rotating to avoid blocklists and takedowns.
Anti-detection and ongoing threat
The attackers have basic yet efficient anti-detection methods. Certain phishing pages were originally written in Spanish, which were then translated using browser indicators referring to the duplicated templates in other locations. The victims usually do not pay sufficient attention to browser security warnings even though they occur occasionally because of the fear generated by the text messages.
Most of the malicious domains were still running at the reporting time. This means that it is a long-term and professional business and not a one-off scheme.
Security experts are encouraging the citizens to be wary. Unsolicited SMS messages on traffic fines should never be clicked by the user. Any form of money should only be checked by official portals like parivahan.gov.in, and payment pages that accept cards and not UPI must be seen as a red flag.
In its complete report, Cyble has published technical findings, signs of compromise, and detection advice. The indicators are also posted on its GitHub repository to assist the organisations and security teams to block the threat earlier.