Cyble Research & Intelligence Labs (CRIL) investigated a fraudulent operation carried out by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India.
According to official figures, CSC Bank Mitra has established over 8500 Customer Service Points or kiosks to facilitate rural Indian entrepreneurs in extending basic banking services to unbanked consumers in 28 states of India.
The VLEs are registered under the CSC scheme and deliver various government and non-government schemes to the local people from CSC outlets. To be part of the scheme, a VLE has to undergo a registration process on the portal register.csc.gov.in and submit documents to ascertain their eligibility.
Our probe into one such case sheds light on the Tactics, Techniques, and Procedures (TTPs) adopted by many such fraud operations under the garb of the CSC scheme.
In-depth Investigation into one such Case
In August 2022, Cyble was informed by an outreach contact about an ongoing financial fraud operation in northern India.
In this particular scam, the entrepreneurs intending to acquire a Customer Services Point (CSP) were directed by the fraudsters to visit and register on a fake website “ecscgov.co.in”, posing as an official portal for the Common Services Center (CSC) Scheme by MEITY, India.
The drop-down menu in the fraudulent application form also gathers information on the bank consumers intending to apply for the CSP Kiosk.
The fraudsters contacted the victim via WhatsApp using the mobile number +919163270984 – pretending to be a CSC operator (also known as Village Level Entrepreneur or VLE).
After a couple of days, the fraudsters provided an application form and demanded identification documents (Aadhaar, PAN, and Voter Card) for an alleged Know-Your-Customer (KYC) verification or obtaining CSC registration from the victim.
Upon submission of the requested documents, the victim received a prospectus and a commission chart. The counterfeited prospectus had the contact details of the fraudsters (as mentioned below) and had the same mobile number from which the fraud operators initiated the communication.
Mobile: +919903158841
Email: support@ecscgov.co.in
Website: ecscgov.co.in
Further, the fraudsters also used a WhatsApp mobile number, +917699197820, to demand INR 2,000 to set up login credentials on the alleged porta
It is noteworthy that as per government regulations about registration as CSC, no registration fee is to be submitted by the registrant.
Subsequently, once the victim had made payments, they received an email from info@ecscgov.co.in, which included account login details to the fraudulent portal.
The fraudsters shared two forged letters allegedly demanding an additional fee of INR 15,200 and INR 50,000 to open overdraft limit (OD) and Kiosk ID accounts from the victim.
The fraudster then communicated to the victim to submit the CSC Registration Form generated from the fake website with their Personally Identifiable Information (PII). The fraudsters then used this information to display it as the Know-Your-Customer (KYC) information of the victim on their dummy account at ecscgov.co.in.
The dummy customer account also reflected the victim’s obfuscated overdraft bank account number and the total amount swindled from the victim over several UPI transactions.
The bank details, as observed in the counterfeit letters provided by the scammers, are as follows:
Bank Name: State Bank of India
Account Number: 35387334400
Holder’s Name: Mohit Sharma
IFSC Code: SBIN0001719
Bank Name: Axis Bank
Account Number: 922010024644297
Holder’s Name: Kundan Kumar
The victim informed that the fraudsters extorted an amount of over INR 1,50,000 in various intervals. All the transactions were made to three UPI accounts shared by the fraudster, apparently registered to Akash Das, Mohit Sharma, and Kundan Kumar.
The following figures include the screenshots from the first and the last transaction:
Further information revealed by the victim indicates that they were approached again by one of the other fraudsters active behind the WhatsApp mobile number +917596916988 asking for personal information and further duped the victim of INR 11,500 under the garb of getting some approvals.
The subsequent bank account details provided by the fraudsters for depositing the amount mentioned above are as follows:
Account Name: Save Solution Pvt. Ltd.
Account Number: 58160201004556
IFSC Code: UBIN05530042
Bank Name: Union Bank
Account Name: Save Solution
Account Number: 50210001545711
IFSC Code: BDBL0001750
Bank Name: Bandhan Bank
During the conversation with the targeted victim, the fraudsters using +917596916988 also shared the following scanned identity documents to establish their legitimacy. However, the fraudsters likely shared stolen identity cards to convince the victim.
We were also informed that the fraudsters also operated another mobile number, +919163270984, registered as a WhatsApp business, which mentions their email address as support@ecscgov.com and support@ecscgov.co.in.
Open-source Investigation
Open sources indicated multiple fraudulent complaints in the name of “Save Solution Pvt. Ltd.”
Open-source research also identified that the subject fraud website “ecscgov.co.in” was mentioned on the Facebook page, facebook.com/people/Banking-CSP-Service/100075990986621(Banking CSP Service).
As highlighted earlier in our research, another such spurious domain, “ecscgov.com,” was also mentioned on the Facebook pages facebook.com/CSP-Service-Kendra-104957375450353 (CSP Service Kendra) and facebook.com/C-S-P-POINT-107975831738629 (C-S-P POINT) was active until February 2022 and December 2021 respectively. The WhatsApp number shared on the former was +918292684046.
The historical WHOIS information for “ecscgov.com” revealed the registrant information as:
Owner: Sudhir Verma
Address: 56, Nehru Nagar, Delhi – 110006
Country: India
Phone: +918902247758
E-mail: sudhirverma2021del@gmail.com
(**The information on the WHOIS registrant could not be validated)
A DNS search on ecscgov.co.in and ecscgov.com revealed the following related fraudulent domains:
| DOMAIN | IP ADDRESS | NAME SERVER | MAIL SERVER | STATUS |
| ecscgov.co.in Subject Domain | 184.168.118.234 United States | ns11.domaincontrol.com | mail.ecscgov.co.in | Inactive |
| e-cscgov.co.in | 184.168.96.164 Singapore | ns35.domaincontrol.com | mail.e-cscgov.co.in | Active |
| e-csc.gov.co.in | 173.255.194.134 United States | ns1.mytrafficmanagement.com ns2.mytrafficmanagement.com | Not Available | Inactive |
| e-cscgov.com | 68.178.145.72 United States | ns11.domaincontrol.com | mail.e-cscgov.com | Inactive |
The official Twitter account of the Common Services Centers in July 2022 also highlighted one of the websites mentioned above.
Conclusion
Our thorough research of this fraud case highlights the risk that unsuspecting consumers face in identifying genuine CSP business correspondents. This ambiguity among consumers is majorly driven by several unverified Village Level Entrepreneurs (VLEs) operating their websites and portals that pretend to offer CSP Kiosk setup services and have been duping consumers since the inception of the government-backed Digital India scheme to benefit rural parts of India.
The Common Services Center (CSC) might be aware of ongoing fraud operations. It is concurrent with the fact that there were several consumer complaints against similar fraud schemes followed by a ticker notification published on the official website csc.gov.in addressing Village Level Entrepreneurs (VLEs) to verify their credentials. However, It is worth mentioning that the illicit schemes can only be thwarted by thorough investigation and verification of VLEs and persistent monitoring of any websites that pose as a business correspondent under the CSC scheme.
Further, government departments should also avail continuous threat intelligence and monitoring services to quickly identify suspicious or fraudulent domains registered to target their legitimate websites and schemes and take such malicious websites down before they are used to perpetrate fraud.
