Govt warns of phishing attack that can steal money from account via net banking

The agency has observed that Indian banking customers are being targeted by a new type of phishing attack using a platform called ‘ngrok’. Some malicious actors are impersonating Indian banks in order to dupe net banking users for their banking credentials, leading to fraudulent transactions.

Also Read: CERT-In says 15,651 Indian websites hacked till June this year

The ngrok platform is being used to host phishing websites through which the malicious actors are collecting sensitive information of the customers like Internet Banking credentials, mobile number, One Time Password (OTP) etc. to perform fraudulent transactions.

• First, the user will get an SMS that could will pretend to be sent by the user’s bank. The SMS will contain suspicious links with embedded phishing links ending with ngrok.io/xxxbank. A sample message is shown below:
• “Dear customer your xxx bank account will be suspended! Please Re KYC Verification Update click here link http://446bdf227fc4.ngrok.io/xxxbank”
• Once the victim clicks on the URL and login to the phishing website using their Internet banking credentials. The attacker then generates OTP (2FA) which is delivered to victims’ phone number.
• The Victim then enters the received OTP in the phishing site, which the attacker captures.
• Finally, the attacker gains access to the victims’ account using the OTP(2FA) and performs fraudulent transactions.

In-CERT has also released some best practices which users should follow in order to stay safe from malicious actors:

Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMS.

Look for suspicious numbers that don’t look like real mobile phone numbers.

Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender ID (consisting of bank’s short name) instead of a phone number in sender information field.

If you get a message that appears to be from your bank or other financial institution, contact that bank directly to determine if they sent you a legitimate request.

Exercise caution while opening email attachments. Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation’s website directly using search engines to ensure that the websites they visited are legitimate.

Install and maintain updated anti-virus and anti-spyware software.

Consider using Safe Browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.

Update spam filters with the latest spam mail contents.

Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL.

Users can also use the shortening service preview feature to see a preview of the full URL.

Pay particular attention to any misspelling and/or substitution of letters in the URLs of the websites they are browsing look out for valid encryption certificates by checking for the green lock in the browser’s address bar, before providing any sensitive information such as personal particulars or account login details.

Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as device’s manufacturer or operating system app store.

Customers should report any unusual activity in their account immediately to the respective bank. Phishing websites and suspicious messages should be reported to CERT-In.