Indian Computer Emergency Response Team

Ministry of Electronics and Information Technology
Government of India

Phishing websites hosted on NGROK platform, targeting Indian banking customers

Original Issue Date: August 10, 2021

It has been observed that Indian banking customers are being targeted by a new type of phishing attack using ngrok platform. The malicious actors have abused the ngrok platform to host phishing websites impersonating internet banking portals of Indian banks. Using these phishing websites, malicious actors are collecting sensitive information of the customers like Internet Banking credentials, mobile number, One Time Password(OTP) etc. to perform fraudulent transactions.

Below are the steps for carrying out phishing attacks by attacker:

  • In this method a user will get the SMSs with embedded phishing links ending with ngrok.io/xxxbank. A sample message is shown below:
  • “Dear customer your xxx bank account will be suspended! Please Re KYC Verification Update click here link http://446bdf227fc4.ngrok.io/xxxbank”
  • Once the victim clicks on the URL and login to the phishing website using their Internet banking credentials.
  • The attacker then generates OTP (2FA) which is delivered to victims’ phone number.
  • Victim then enter the received OTP in the phishing site, which the attacker captures.
  • Finally, the attacker gains access to the victims’ account using the OTP(2FA) and performs fraudulent transactions.

Sample Phishing URLs

http://1a4fa3e03758.ngrok[.]io/xxxbank

http://1d68ab24386.ngrok[.]io/xxxbank/

http://1e2cded18ece.ngrok[.]io/xxxbank/full-kyc.php

http://1e61c47328d5.ngrok[.]io/xxxbank

https://05388db121b8.sa.ngrok[.]io/xxxbank/

https://0936734b982b.ngrok[.]io/xxxbank/

https://0e552ef5b876.ngrok[.]io/xxxbank/

Best Practices

  • Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
  • Look for suspicious numbers that don’t look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender id (consisting of bank’s short name) instead of a phone number in sender information field.
  • If you get a message that appears to be from your bank or other financial institution, contact that bank directly to determine if they sent you a legitimate request.
  • Exercise caution while opening email attachments. <
  • Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation’s website directly using search engines to ensure that the websites they visited are legitimate.
  • Install and maintain updated anti-virus and antispyware software.
  • Consider using Safe Browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.
  • Update spam filters with latest spam mail contents.
  • Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
  • Pay particular attention to any misspelling and/or substitution of letters in the URLs of the websites they are browsing.
  • Look out for valid encryption certificates by checking for the green lock in the browser’s address bar, before providing any sensitive information such as personal particulars or account login details.
  • Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store.
  • Customer should report any unusual activity in their account immediately to the respective bank. Phishing websites and suspicious messages should be reported to CERT-In (at [email protected]) and respective banks with the relevant details for taking further appropriate actions.

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

Contact Information

Email:[email protected]
Phone: +91-11-24368572

Postal Address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi

Download Press release on Phishing websites hosted on NGROK platform, targeting Indian banking customers

Tags:

More Under Income Tax

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Posts by Date

September 2021
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930