FireEye researchers in India recently discovered phishing websites created by cyber criminals that spoof 26 Indian banks in order to steal personal information from customers. Although these phishing websites were not observed being used in campaigns, FireEye has notified the Indian Computer Emergency Response Team about the threat.
FireEye identified a new domain (csecurepay<.>com) registered on Oct. 23, 2016, that appears to be an online payment gateway, but is actually a phishing website that leads to the capturing of customer information from 26 banks operating in India. In this phishing attack, victims are asked to enter their account number, mobile number, email address, one time password and other details. Once the information is collected, the website displays a fake failed login message to the victim. (Please refer to appendix for screenshots)
The phishing site served fake logins from 26 banks, including:
- Bank of Baroda - Corporate
- Bank of Baroda - Retail
- Bank of Maharashtra
- HDFC Bank
- ICICI Bank
- IDBI Bank
- Indian Bank
- IndusInd Bank
- Jammu and Kashmir Bank
- Kotak Bank
- Lakshmi Vilas Bank - Corporate
- Lakshmi Vilas Bank - Retail
- State Bank of Hyderabad
- State Bank of India
- State Bank of Jaipur
- State Bank of Mysore
- State Bank of Patiala
- State Bank of Bikaner
- State Bank of Travancore
- Tamilnad Mercantile Bank
- United Bank of India
Using the registration details of this domain, FireEye security researchers identified a second domain (nsecurepay<.>com) registered by the same attacker in August 2016. This domain appears to be created to steal credit and debit card information – including ICICI, Citibank, Visa and MasterCard and SBI debit card details – but was observed to be producing errors at the time of discovery.
“Criminals follow the money, and as more Indians embrace online banking, criminals followed them online. As the digital economy grows, consumers should be aware of the risks that accompany the convenience. The ease of online payments opens new avenues for criminals to trick consumers into divulging their own sensitive banking information. The growing sophistication of these cybercriminal campaigns makes them harder for consumers to identify, and firewalls and antivirus technology do not stop these attacks,” said Vishak Raman, Senior Director for India and SAARC at FireEye.