SBI YONO PHISHING SCAM: Criminals Collecting User Information
Banking Industry is one of the most targeted and profitable sectors of Cyber Attacks. It is open to various attacks such as Spear Phishing, Backdoor Infection, Malspam, DDoS Attacks, Skimming, etc.
As other attack vectors are complex to gain unauthorized access to the Banking Network; one of the favorite methods used by attackers is Phishing. All they just need a look-alike domain to fool baking customers. By this, the Attacker able to gain sensitive information from customers effortlessly.
Criminals just cast the net, so that victims fall into the trap automatically without any hard work!
Here, we are going to analyze a Case Study where Cyber Criminals targeted SBI YONO Applications to exfiltrate sensitive information from customers.
NOTE: This can be applied to any Bank as Criminals don’t only target a single bank. Hence, the technique discussed in this article could be used to weaponize/target other bank institutions as well.
It is NOT a well-known fact that SBI Bank(State Bank of India) had discontinued the service of YONO via this portal, and moved its operations to the main website of SBI.
This was the legitimate URL of SBI YONO earlier:- https://www.sbiyono.sbi/wps/portal/login
Unless a person individually visits this site; s(he) does not get to know this fact.
But Cyber Criminals are taking the advantage of this loophole and exploiting it by creating typo-squatted domains (look-alike domains) of the SBI YONO Application for Phishing.
The exact replicas of the Banking Site are served to the victims to exfiltrate sensitive banking information.
Before proceeding with the SCAM, check out the following image and bear the same fact in your mind:-
ANATOMY OF SCAM
- RECEIPT OF SUSPECTED MESSAGE
The customer/user gets a text message on his/her phone stating that “Dear customer your YONO SBI account will be blocked. Please update your PAN CARD and complete our KYC. Click here [link]” SBI Team”.
The links present in the text message is a shortened URLs of fraudulent URLs. By clicking on the link; the user is taken to the fraudulent Phishing Page of SBI YONO.
NOTE: This URL Shortener is used by Cyber Criminals used to mask the real Web URL from getting displayed in the message. Hence, criminals heavily rely on this service.
2. REDIRECTION: ON THE PHISHING PAGE
Let’s proceed with the URL found in the above image: http://bitly.ws/zcqv
By expanding them, it gets resolved to the following Web URL:-
https://ramhulas-shopeno1.web.app
NOTE: Shopeno1 is the tag used by Merchants to identify their Physical Shops in a street. It was originally spelled as Shop №1 but “e” is added to it as it may be a human error. The same mistake is found in another record of a physical shop located in Mumbai.
The Scam starts with a Phishing page served to the user when s(he) clicks on the link received in the text message.
3. DATA COLLECTION: Harvesting Customer PII
The fields such as Username, Password, and Mobile Number are demanded from the customer to exfiltrate sensitive information of the customers.
NOTE: Here, for demo purposes: We are going to use imaginary names to proceed with the SCAM Inner Workings.
By feeding (faulty) username, password and Mobile Number, it redirects to the page of OTP.
Here, it is not necessary to feed the correct OTPs, however, feeding any random 8-digit Key would suffice to proceed further.
NOTE: This step is used by criminals to gain the real OTP entered by the legitimate user to this Phishing page, while parallelly operating customer account information by Cyber Criminals on the legitimate platform.
After entering (random) OTP, Customer is demanded to feed the following information such as “Account Holder Name” and “Date of Birth”.
This information is useful for Cyber Criminals to restore the genuine customer account for resetting while attempting financial fraud.
After entering the required details, the customer is again prompted to enter OTP just to make sure about the correct code.
After entering (random) OTP; Criminals demand the next set of sensitive information such as PAN NAME and PAN CARD Number.
NOTE: This information is vital as the financial statements of a person deal with PAN information while filing Income Tax Records annually in INDIA.
Upon entering the above details; again an OTP prompt comes in.
After 2nd OTP, it again asks for sensitive information such as Father’s Name and Branch Name.
Attaining all this information, it can be assumed that Cyber Criminals make use of exfiltrated information and use it for the next Phishing or Targeted Campaigns.
Now, a final OTP Prompt appears which freezes further proceedings.
As there is no action afterward, at this stage, a person will come to know that they fell for the trap laid by the Cyber Criminals by submitting sensitive information.
NOTE: As I have reported on the website, there is a “Deceptive Site Danger” notification displayed if anyone tries to open this site before proceeding to this site.
TRACING BACK-END
Upon analyzing the domain; it is found that this Phishing Site is built using Firebase; where it ends with “.web.app”.
NOTE: Using such applications will help the criminals to run their SCAM Campaigns; until someone scans it with VirusTotal or Report individually to remove the same.
Upon further analysis; the following details are found:-
Site: https://ramhulas-shopeno1.web.app
Short URL: http://bitly.ws/zcqv
IP: 199.36.158.100
Hosted: Fastly
Phone Number used: 9431707692
Location: Bihar, INDIA
Mobile Connection: BSNL
OUTGOING LINK: http://ravins.online/apps/hdfc.apk
Active Since: 7th December 2022
IP ANALYSIS
It is found that the site is not directly hosted; but used Fastly CDN Service to get it hosted, to blend with the malicious traffic. This is because the IP had observed several malicious activities such as Phishing, Malware Delivery, etc.
INSPECTING OUTGOING LINK
The outgoing link (ravins.online)present on the Phishing Page of SBI YONO does exist since 4th November 2022.
As the site is unreachable at the moment, it found that there is a single text titled “Hellow World” found on the website.
Upon further investigation, it is found that the above-mentioned site is found in the list of Android BankBot list where all the Banking Bots found in the Android are listed.
NOTE: BANKBOT is a generic name given to the malicious banking applications (bots) found in Android Environment. These are capable to exfiltrate sensitive information from the user’s phone and send it to the Attacker.
OTHER YONO SCAMS
INCIDENT-1
URL: https://bit.ly/3DYz6AQ
Phone Number Used: 8967755247
Location: West Bengal
INCIDENT-2
URL: https://bit.ly/3BwwJTd
TIMELINE: November 2021
INCIDENT-3
Phone Number Used: 7205474499
TIMELINE: September 2022
Location: Laxme B from Orissa
Connection: Airtel
Company: PASFER TECH PROVATE LTDś
INCIDENT-4
Phone Number Used: 9742033314
Location: Karnataka
Connection: Vodafone
Luring using: Credit Card Limit Extension
INCIDENT-5
Phone Number Used: 9163657801
URL: sbcek.co.in
Location: Kolkata
IMPACT OF SBI PHISHING: FINANCIAL LOSS
The Impact of the above-said SCAM is huge if the user does not pay meticulous attention to the received Phishing Message on their phone.
Following is an example, which happened recently:-
There are more complaints like this are being voiced on various platforms like Social Networking Sites and Microblogging Sites as there is no proper channel to hear back from the SBI Officials.
The above image exactly tells us that SBI Phishing is not new and it’s high time to act immediately on these kinds of fraud to make the customer experience safe.
PS: This incident is directly reported to both SBI and CERT-IN beforehand.
A CATALYST FOR FUTURE SCAMS
The collected information by the Cyber Criminals is used for future SCAM/Fraud Campaigns set up by Scamsters to target a larger user base with different themes at various times.
This paves way for the uncountable number of Fraudulent Activities such as: Selling Customer data on Dark Web, Account Drainage by Criminals, Money Laundering, Loan Attacks (where a criminal uses collected information to apply for loans from different agencies), SIM Registration (to get legitimate new phone numbers without author’s knowledge) and much more.
A combination of above discussed criminal activities could create financial havoc for an individual/institute.
The above-discussed CASE STUDY is just a single Incident about YONO SBI Banking Phishing. Regularly, many banks get targeted and more new Phishing sites get mushrooming. More victims fell for the traps laid by the criminals.
PSYCHOLOGY OF SCAMMER
Using powerful words which instigate PANIC/FEAR among users would anticipate common people to fall for the scam.
Messages like “Offering OTPs” instead of asking OTPs makes the customers log in to their genuine account, resulting in an account takeover by Cyber Criminals.
The new regulations rolled by Banking Authorities are not widely reached the general public; which are exploited by Criminals to target their audience.
Using the same format of Banking Text Messages will lure the users to fall easily.
Unpopular TLD Usage is a methodology used by Criminals to defraud users.
Phishing Pages at an initial glance play an important role in defrauding the general public.
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
New to trading? Try crypto trading bots or copy trading on best crypto exchanges