SBI YONO PHISHING SCAM: Criminals Collecting User Information

Rakesh Krishnan
Coinmonks

--

Banking Industry is one of the most targeted and profitable sectors of Cyber Attacks. It is open to various attacks such as Spear Phishing, Backdoor Infection, Malspam, DDoS Attacks, Skimming, etc.

As other attack vectors are complex to gain unauthorized access to the Banking Network; one of the favorite methods used by attackers is Phishing. All they just need a look-alike domain to fool baking customers. By this, the Attacker able to gain sensitive information from customers effortlessly.

Criminals just cast the net, so that victims fall into the trap automatically without any hard work!

Scammers patiently wait for their Victims to fall for Phishing | Image Credit: Luckeux from Deviant Art

Here, we are going to analyze a Case Study where Cyber Criminals targeted SBI YONO Applications to exfiltrate sensitive information from customers.

NOTE: This can be applied to any Bank as Criminals don’t only target a single bank. Hence, the technique discussed in this article could be used to weaponize/target other bank institutions as well.

It is NOT a well-known fact that SBI Bank(State Bank of India) had discontinued the service of YONO via this portal, and moved its operations to the main website of SBI.

This was the legitimate URL of SBI YONO earlier:- https://www.sbiyono.sbi/wps/portal/login

Unless a person individually visits this site; s(he) does not get to know this fact.

Official Notification from SBI

But Cyber Criminals are taking the advantage of this loophole and exploiting it by creating typo-squatted domains (look-alike domains) of the SBI YONO Application for Phishing.

The exact replicas of the Banking Site are served to the victims to exfiltrate sensitive banking information.

Before proceeding with the SCAM, check out the following image and bear the same fact in your mind:-

Official SBI Notification

ANATOMY OF SCAM

  1. RECEIPT OF SUSPECTED MESSAGE

The customer/user gets a text message on his/her phone stating that “Dear customer your YONO SBI account will be blocked. Please update your PAN CARD and complete our KYC. Click here [link]” SBI Team”.

Phishing Text SMS

The links present in the text message is a shortened URLs of fraudulent URLs. By clicking on the link; the user is taken to the fraudulent Phishing Page of SBI YONO.

NOTE: This URL Shortener is used by Cyber Criminals used to mask the real Web URL from getting displayed in the message. Hence, criminals heavily rely on this service.

2. REDIRECTION: ON THE PHISHING PAGE

Let’s proceed with the URL found in the above image: http://bitly.ws/zcqv

By expanding them, it gets resolved to the following Web URL:-
https://ramhulas-shopeno1.web.app

NOTE: Shopeno1 is the tag used by Merchants to identify their Physical Shops in a street. It was originally spelled as Shop №1 but “e” is added to it as it may be a human error. The same mistake is found in another record of a physical shop located in Mumbai.

The Scam starts with a Phishing page served to the user when s(he) clicks on the link received in the text message.

SBI YONO Phishing Page setup bY Criminals

3. DATA COLLECTION: Harvesting Customer PII

The fields such as Username, Password, and Mobile Number are demanded from the customer to exfiltrate sensitive information of the customers.

NOTE: Here, for demo purposes: We are going to use imaginary names to proceed with the SCAM Inner Workings.

Phishing Fields to yield Customer information

By feeding (faulty) username, password and Mobile Number, it redirects to the page of OTP.

Here, it is not necessary to feed the correct OTPs, however, feeding any random 8-digit Key would suffice to proceed further.

NOTE: This step is used by criminals to gain the real OTP entered by the legitimate user to this Phishing page, while parallelly operating customer account information by Cyber Criminals on the legitimate platform.

Fake OTP Prompt: 1

After entering (random) OTP, Customer is demanded to feed the following information such as “Account Holder Name” and “Date of Birth”.

This information is useful for Cyber Criminals to restore the genuine customer account for resetting while attempting financial fraud.

Demanding Customer Data: 1

After entering the required details, the customer is again prompted to enter OTP just to make sure about the correct code.

Fake OTP Prompt: 2

After entering (random) OTP; Criminals demand the next set of sensitive information such as PAN NAME and PAN CARD Number.

NOTE: This information is vital as the financial statements of a person deal with PAN information while filing Income Tax Records annually in INDIA.

Demanding Customer Data: 2

Upon entering the above details; again an OTP prompt comes in.

Fake OTP Prompt: 3

After 2nd OTP, it again asks for sensitive information such as Father’s Name and Branch Name.

Attaining all this information, it can be assumed that Cyber Criminals make use of exfiltrated information and use it for the next Phishing or Targeted Campaigns.

Demanding Customer Data: 3

Now, a final OTP Prompt appears which freezes further proceedings.

Fake OTP Prompt: 4

As there is no action afterward, at this stage, a person will come to know that they fell for the trap laid by the Cyber Criminals by submitting sensitive information.

NOTE: As I have reported on the website, there is a “Deceptive Site Danger” notification displayed if anyone tries to open this site before proceeding to this site.

Reported the Fraudulent Site to prevent further fraud

TRACING BACK-END

Upon analyzing the domain; it is found that this Phishing Site is built using Firebase; where it ends with “.web.app”.

NOTE: Using such applications will help the criminals to run their SCAM Campaigns; until someone scans it with VirusTotal or Report individually to remove the same.

Upon further analysis; the following details are found:-

Site: https://ramhulas-shopeno1.web.app
Short URL: http://bitly.ws/zcqv
IP: 199.36.158.100
Hosted: Fastly
Phone Number used: 9431707692
Location: Bihar, INDIA
Mobile Connection: BSNL

OUTGOING LINK: http://ravins.online/apps/hdfc.apk
Active Since: 7th December 2022

IP ANALYSIS

It is found that the site is not directly hosted; but used Fastly CDN Service to get it hosted, to blend with the malicious traffic. This is because the IP had observed several malicious activities such as Phishing, Malware Delivery, etc.

IP Reputation: Bad

INSPECTING OUTGOING LINK

The outgoing link (ravins.online)present on the Phishing Page of SBI YONO does exist since 4th November 2022.

Phishing Detected

As the site is unreachable at the moment, it found that there is a single text titled “Hellow World” found on the website.

Website Cache

Upon further investigation, it is found that the above-mentioned site is found in the list of Android BankBot list where all the Banking Bots found in the Android are listed.

NOTE: BANKBOT is a generic name given to the malicious banking applications (bots) found in Android Environment. These are capable to exfiltrate sensitive information from the user’s phone and send it to the Attacker.

OTHER YONO SCAMS

INCIDENT-1
URL: https://bit.ly/3DYz6AQ
Phone Number Used: 8967755247
Location: West Bengal

INCIDENT-2
URL: https://bit.ly/3BwwJTd
TIMELINE: November 2021

INCIDENT-3
Phone Number Used: 7205474499
TIMELINE: September 2022
Location: Laxme B from Orissa
Connection: Airtel
Company: PASFER TECH PROVATE LTDś

INCIDENT-4
Phone Number Used: 9742033314
Location: Karnataka
Connection: Vodafone
Luring using: Credit Card Limit Extension

INCIDENT-5
Phone Number Used: 9163657801
URL: sbcek.co.in
Location: Kolkata

IMPACT OF SBI PHISHING: FINANCIAL LOSS

The Impact of the above-said SCAM is huge if the user does not pay meticulous attention to the received Phishing Message on their phone.

Following is an example, which happened recently:-

Customer Complaint registered by a User

There are more complaints like this are being voiced on various platforms like Social Networking Sites and Microblogging Sites as there is no proper channel to hear back from the SBI Officials.

Another Report about SBI Phishing

The above image exactly tells us that SBI Phishing is not new and it’s high time to act immediately on these kinds of fraud to make the customer experience safe.

PS: This incident is directly reported to both SBI and CERT-IN beforehand.

A CATALYST FOR FUTURE SCAMS

The collected information by the Cyber Criminals is used for future SCAM/Fraud Campaigns set up by Scamsters to target a larger user base with different themes at various times.

This paves way for the uncountable number of Fraudulent Activities such as: Selling Customer data on Dark Web, Account Drainage by Criminals, Money Laundering, Loan Attacks (where a criminal uses collected information to apply for loans from different agencies), SIM Registration (to get legitimate new phone numbers without author’s knowledge) and much more.

A combination of above discussed criminal activities could create financial havoc for an individual/institute.

The above-discussed CASE STUDY is just a single Incident about YONO SBI Banking Phishing. Regularly, many banks get targeted and more new Phishing sites get mushrooming. More victims fell for the traps laid by the criminals.

PSYCHOLOGY OF SCAMMER

Using powerful words which instigate PANIC/FEAR among users would anticipate common people to fall for the scam.

Messages like “Offering OTPs” instead of asking OTPs makes the customers log in to their genuine account, resulting in an account takeover by Cyber Criminals.

The new regulations rolled by Banking Authorities are not widely reached the general public; which are exploited by Criminals to target their audience.

Using the same format of Banking Text Messages will lure the users to fall easily.

Unpopular TLD Usage is a methodology used by Criminals to defraud users.

Phishing Pages at an initial glance play an important role in defrauding the general public.

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

New to trading? Try crypto trading bots or copy trading on best crypto exchanges

--

--

Rakesh Krishnan
Coinmonks

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.