Cyble-Blogs-Con-Games

Con Games: Fraudsters posing as VLEs duping CSC Bank Mitra Scheme Subscribers

Cyble Research & Intelligence Labs (CRIL) investigated a fraudulent operation carried out by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India.

According to official figures, CSC Bank Mitra has established over 8500 Customer Service Points or kiosks to facilitate rural Indian entrepreneurs in extending basic banking services to unbanked consumers in 28 states of India.

The VLEs are registered under the CSC scheme and deliver various government and non-government schemes to the local people from CSC outlets. To be part of the scheme, a VLE has to undergo a registration process on the portal register.csc.gov.in and submit documents to ascertain their eligibility.

Our probe into one such case sheds light on the Tactics, Techniques, and Procedures (TTPs) adopted by many such fraud operations under the garb of the CSC scheme.

In-depth Investigation into one such Case

In August 2022, Cyble was informed by an outreach contact about an ongoing financial fraud operation in northern India.

In this particular scam, the entrepreneurs intending to acquire a Customer Services Point (CSP) were directed by the fraudsters to visit and register on a fake website “ecscgov.co.in, posing as an official portal for the Common Services Center (CSC) Scheme by MEITY, India.

Figure 1: Home page of the fraudulent web portal ecscgov.co.in

The drop-down menu in the fraudulent application form also gathers information on the bank consumers intending to apply for the CSP Kiosk.

The fraudsters contacted the victim via WhatsApp using the mobile number +919163270984 – pretending to be a CSC operator (also known as Village Level Entrepreneur or VLE).

After a couple of days, the fraudsters provided an application form and demanded identification documents (Aadhaar, PAN, and Voter Card) for an alleged Know-Your-Customer (KYC) verification or obtaining CSC registration from the victim.

Upon submission of the requested documents, the victim received a prospectus and a commission chart. The counterfeited prospectus had the contact details of the fraudsters (as mentioned below) and had the same mobile number from which the fraud operators initiated the communication.

Mobile: +919903158841

Email: support@ecscgov.co.in

Website: ecscgov.co.in

Further, the fraudsters also used a WhatsApp mobile number, +917699197820, to demand INR 2,000 to set up login credentials on the alleged porta

It is noteworthy that as per government regulations about registration as CSC, no registration fee is to be submitted by the registrant.

Subsequently, once the victim had made payments, they received an email from info@ecscgov.co.in, which included account login details to the fraudulent portal.

Figure 2: Email sharing dummy account credentials

The fraudsters shared two forged letters allegedly demanding an additional fee of INR 15,200 and INR 50,000 to open overdraft limit (OD) and Kiosk ID accounts from the victim.

Figure 3: Counterfeit letters from fraudsters

The fraudster then communicated to the victim to submit the CSC Registration Form generated from the fake website with their Personally Identifiable Information (PII). The fraudsters then used this information to display it as the Know-Your-Customer (KYC) information of the victim on their dummy account at ecscgov.co.in.

The dummy customer account also reflected the victim’s obfuscated overdraft bank account number and the total amount swindled from the victim over several UPI transactions.

Figure 4: Screenshot from the dummy account at ecscgov.co.in

The bank details, as observed in the counterfeit letters provided by the scammers, are as follows:

Bank Name: State Bank of India

Account Number: 35387334400

Holder’s Name: Mohit Sharma

IFSC Code: SBIN0001719

Bank Name: Axis Bank

Account Number: 922010024644297

Holder’s Name: Kundan Kumar

The victim informed that the fraudsters extorted an amount of over INR 1,50,000 in various intervals. All the transactions were made to three UPI accounts shared by the fraudster, apparently registered to Akash Das, Mohit Sharma, and Kundan Kumar.

The following figures include the screenshots from the first and the last transaction:

Figure 5: The transaction receipts displaying all three UPI accounts used in the fraud scheme

Further information revealed by the victim indicates that they were approached again by one of the other fraudsters active behind the WhatsApp mobile number +917596916988 asking for personal information and further duped the victim of INR 11,500 under the garb of getting some approvals.

The subsequent bank account details provided by the fraudsters for depositing the amount mentioned above are as follows:

Account Name:            Save Solution Pvt. Ltd.

Account Number:        58160201004556

IFSC Code:                   UBIN05530042

Bank Name:                Union Bank

Account Name:            Save Solution

Account Number:        50210001545711

IFSC Code:                   BDBL0001750

Bank Name:                Bandhan Bank

During the conversation with the targeted victim, the fraudsters using +917596916988 also shared the following scanned identity documents to establish their legitimacy. However, the fraudsters likely shared stolen identity cards to convince the victim.

Figure 6: Scanned ID cards shared by the fraudsters

We were also informed that the fraudsters also operated another mobile number, +919163270984, registered as a WhatsApp business, which mentions their email address as support@ecscgov.com and support@ecscgov.co.in.

Open-source Investigation

Open sources indicated multiple fraudulent complaints in the name ofSave Solution Pvt. Ltd.”

Figure 7: Fraud Complaints observed against Save Solution since 2019

Open-source research also identified that the subject fraud website “ecscgov.co.in was mentioned on the Facebook page, facebook.com/people/Banking-CSP-Service/100075990986621(Banking CSP Service).

As highlighted earlier in our research, another such spurious domain, “ecscgov.com,” was also mentioned on the Facebook pages facebook.com/CSP-Service-Kendra-104957375450353 (CSP Service Kendra) and facebook.com/C-S-P-POINT-107975831738629 (C-S-P POINT) was active until February 2022 and December 2021 respectively. The WhatsApp number shared on the former was +918292684046.

Figure 8: Facebook profiles associated with ecscgov.co.in and ecscgov.com (Left, Middle), WhatsApp profile +918292684046 (Right)

The historical WHOIS information for “ecscgov.com” revealed the registrant information as:

Owner:           Sudhir Verma

Address:         56, Nehru Nagar, Delhi – 110006

Country:         India

Phone:            +918902247758

E-mail:            sudhirverma2021del@gmail.com

(**The information on the WHOIS registrant could not be validated)

A DNS search on ecscgov.co.in and ecscgov.com revealed the following related fraudulent domains:

DOMAINIP ADDRESSNAME SERVERMAIL SERVERSTATUS
ecscgov.co.in
Subject Domain
184.168.118.234
United States
ns11.domaincontrol.commail.ecscgov.co.inInactive
e-cscgov.co.in184.168.96.164
Singapore
ns35.domaincontrol.commail.e-cscgov.co.inActive
e-csc.gov.co.in173.255.194.134
United States
ns1.mytrafficmanagement.com
ns2.mytrafficmanagement.com
Not AvailableInactive
e-cscgov.com68.178.145.72
United States
ns11.domaincontrol.commail.e-cscgov.comInactive

The official Twitter account of the Common Services Centers in July 2022 also highlighted one of the websites mentioned above.

Figure 9: Official notification from CSCeGov

Conclusion

Our thorough research of this fraud case highlights the risk that unsuspecting consumers face in identifying genuine CSP business correspondents. This ambiguity among consumers is majorly driven by several unverified Village Level Entrepreneurs (VLEs) operating their websites and portals that pretend to offer CSP Kiosk setup services and have been duping consumers since the inception of the government-backed Digital India scheme to benefit rural parts of India.

The Common Services Center (CSC) might be aware of ongoing fraud operations. It is concurrent with the fact that there were several consumer complaints against similar fraud schemes followed by a ticker notification published on the official website csc.gov.in addressing Village Level Entrepreneurs (VLEs) to verify their credentials. However, It is worth mentioning that the illicit schemes can only be thwarted by thorough investigation and verification of VLEs and persistent monitoring of any websites that pose as a business correspondent under the CSC scheme.

Further, government departments should also avail continuous threat intelligence and monitoring services to quickly identify suspicious or fraudulent domains registered to target their legitimate websites and schemes and take such malicious websites down before they are used to perpetrate fraud.


Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top