Indian Computer Emergency Response Team
Ministry of Electronics and Information Technology
Government of India
Phishing websites hosted on NGROK platform, targeting Indian banking customers
Original Issue Date: August 10, 2021
It has been observed that Indian banking customers are being targeted by a new type of phishing attack using ngrok platform. The malicious actors have abused the ngrok platform to host phishing websites impersonating internet banking portals of Indian banks. Using these phishing websites, malicious actors are collecting sensitive information of the customers like Internet Banking credentials, mobile number, One Time Password(OTP) etc. to perform fraudulent transactions.
Below are the steps for carrying out phishing attacks by attacker:
- In this method a user will get the SMSs with embedded phishing links ending with ngrok.io/xxxbank. A sample message is shown below:
- “Dear customer your xxx bank account will be suspended! Please Re KYC Verification Update click here link http://446bdf227fc4.ngrok.io/xxxbank”
- Once the victim clicks on the URL and login to the phishing website using their Internet banking credentials.
- The attacker then generates OTP (2FA) which is delivered to victims’ phone number.
- Victim then enter the received OTP in the phishing site, which the attacker captures.
- Finally, the attacker gains access to the victims’ account using the OTP(2FA) and performs fraudulent transactions.
Sample Phishing URLs
http://1a4fa3e03758.ngrok[.]io/xxxbank
http://1d68ab24386.ngrok[.]io/xxxbank/
http://1e2cded18ece.ngrok[.]io/xxxbank/full-kyc.php
http://1e61c47328d5.ngrok[.]io/xxxbank
https://05388db121b8.sa.ngrok[.]io/xxxbank/
https://0936734b982b.ngrok[.]io/xxxbank/
https://0e552ef5b876.ngrok[.]io/xxxbank/
Best Practices
- Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
- Look for suspicious numbers that don’t look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender id (consisting of bank’s short name) instead of a phone number in sender information field.
- If you get a message that appears to be from your bank or other financial institution, contact that bank directly to determine if they sent you a legitimate request.
- Exercise caution while opening email attachments. <
- Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation’s website directly using search engines to ensure that the websites they visited are legitimate.
- Install and maintain updated anti-virus and antispyware software.
- Consider using Safe Browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.
- Update spam filters with latest spam mail contents.
- Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
- Pay particular attention to any misspelling and/or substitution of letters in the URLs of the websites they are browsing.
- Look out for valid encryption certificates by checking for the green lock in the browser’s address bar, before providing any sensitive information such as personal particulars or account login details.
- Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store.
- Customer should report any unusual activity in their account immediately to the respective bank. Phishing websites and suspicious messages should be reported to CERT-In (at incident@cert-in.org.in) and respective banks with the relevant details for taking further appropriate actions.
Disclaimer
The information provided herein is on “as is” basis, without warranty of any kind.
Contact Information
Email:info@cert-in.org.in
Phone: +91-11-24368572
Postal Address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi
