Cyble-Blogs-Financial-Fraud

New wave of Financial Fraud: Scammers Monitoring Social Media Complaints

IRCTC and multiple Indian Banking Users at Risk

Twitter is a popular social media platform that allows people from all walks of life to share their thoughts, ideas, and experiences with others. Users can express their opinions, ask questions, and share their knowledge with a wide audience.

With its reach and influence, Twitter has become a powerful tool for communication and connection. Additionally, Twitter has become a platform for users to voice their complaints and bring attention to issues that matter to them.

Recently, Cyble Research and Intelligence Labs discovered a scam that is targeting citizens in India. The scammers use Twitter to find potential victims by monitoring user complaint tweets. These tweets, which are meant to bring attention to issues and problems, are being exploited by cybercriminals to target their victims.

We also noticed a scam involving the Indian Railway Catering and Tourism Corporation (IRCTC). The scammers seem to monitor Twitter for complaints about the Indian Railway, and when they find a victim’s contact information, they will call to initiate the scam.

The figure below shows one example of a complaint tweet posted by a user and the subsequent call received by the scammer.

Figure 1 – IRCTC complaint posted by the user on Twitter

Upon seeing the victim’s tweet, the scammer pretends to be an IRCTC customer support representative and calls the victim to request personal information such as the Train PNR number, order number, refund amount, and payment method.

Even if the victim fails to provide the requested information, the scammer continues their efforts to successfully carried out financial fraud using various techniques.

The same victim may also be targeted by multiple scammers, who may use different tactics to gain control of the victim’s bank account through UPI fraud. Some examples of UPI frauds that scammers may use are:

Linking victim’s mobile number or account through UPI to scammer device:

In this case, the scammer contacted the victim over call and requested personal information, including which UPI payment app they used. The scammer sent an SMS during the call with an activation code, as shown in Figure 2.

Once the victim receives the message, the scammer asks them to forward an SMS to a specific number.

According to the article on UPI fraud by RazorPay, the scammer can link the victim’s mobile number or account to their own device through UPI once the victim forwards the received message. The screenshot below shows the scammer’s call history and the verification code received during the call.

Figure 2 – Call history with Scammer and UPI activation message

Scammers send the Google form to collect sensitive information:

In certain instances, the scammer may request basic personal information from the victim to avoid arousing suspicion and will send a Google form to collect sensitive details, including the victim’s mobile number, UPI PIN, and other personal information. The figure below shows an example of this:

Figure 3 – Google form link sent by a scammer to collect UPI pin

The mobile number of the scammer has negative comments related to the scam on Truecaller, and they have used the Indian Railway logo as their WhatsApp profile picture in an attempt to convince victims that they are a legitimate IRCTC customer support representative.

Figure 4 – Negative review of the scammer’s mobile number and WhatsApp profile using the Indian Railway logo

Scammer sends a phishing link or malicious APK file on WhatsApp:

Scammers have been using Android malware in addition to other fraudulent tactics. They may send a phishing link that downloads a malicious APK file to infect the device, or they may send the malicious file via WhatsApp.

Scammers use such malicious APK files with names like “IRCTC customer.apk,” “online complaint.apk,” or “complaint register.apk” to trick victims into revealing their net banking credentials, UPI details, credit/debit card information, and sometimes even their One-Time-Passwords (OTPs) used for two-factor authentication (2FA) implemented by banks.

Figure 5 – Malicious APK file forwarded by the scammer

Related to the same scam, CRIL came across a phishing site hxxps://mycomplainquery[.]in, which pretends to be the customer support site and prompts victims for basic information such as name, mobile number, and complaint query.

Figure 6 – Phishing page pretending to be customer support

The phishing website prompts the user to input the refund amount upon providing the required information. It later offers various payment options, including credit cards, online banking, and the Unified Payments Interface (UPI).

Figure 7 – Phishing site prompts for the refund amount
Figure 8 – Phishing site offers payment options

After the victim chooses the payment option on the phishing site, victims are asked to enter sensitive banking information such as their UPI identification, UPI personal identification number, net banking login details, credit card information, and debit card details. This stolen data is then sent to the Command and Control (C&C) server.

Figure 9 – Phishing site stealing sensitive banking details

After obtaining sensitive banking information, the phishing site may ask the victim to install a malicious application to track the complaint status. However, this application will also be used to steal incoming text messages from the infected device.

Figure 10 – Phishing site downloads malicious Android app

Technical Analysis 

APK Metadata Information  

  • App Name: complain register
  • Package Name: com.my.update
  • SHA256 Hash: f952c05d9df163cdc96938222c197ea10c9250b3e548a880b0c52faa9c4d6e28

The below figure shows the metadata information of the application. 

Figure 11 – Malicious Application Metadata Information

The malicious application will ask the victim to grant SMS permission upon installation. It will then display a complaint tracking page and encourage the victim to enter their complaint number, email address, and phone number.

Figure 12 – Malicious application prompts for permission and loads fake complaint tracking page

The malware includes a SMSReceiver in the Manifest file, which allows it to collect incoming SMS messages on an infected device and send them to a command and control (C&C) server at hxxps://mycomplainquery[.]in/api/message.

Figure 13 – SMS Receiver stealing incoming SMS

The malware also connects to the endpoint hxxps://mycomplainquery[.]in/api/phone to receive the phone number to send incoming SMS messages.

Figure 14 – Malware sending SMS on the number received from the C&C server

The IP address “217.21.94[.]24” was found to be hosting the C&C server hxxps://mycomplainquery[.]in and communicating with the malicious APK file “icici.apk”.

This APK file was part of a campaign that distributed info stealer malware to target Indian bank customers as part of a reward scam. The connection between the IP address and the APK file suggests that the same threat actor is behind both scams.

Figure 15 – IP hosting C&C server involved in Reward scam

In addition to targeting IRCTC users, these scammers have also been targeting users of various users from other brands and organizations such as MobiKwik, Spicejet, and Indian banks. When users report complaints on social media, scammers take advantage of the opportunity to carry out phishing attacks by asking them to download malicious files to file their complaints and steal their funds from bank accounts.

Some examples of this can be seen in the below image from different users who have experienced this tactic.

Figure 16 – Users received a call from scammers after raising a complaint on social media

We have observed a group of financially motivated scammers based in India responsible for this scam. The same victims receive calls from different scammers, each time pretending to be a customer support representative, claiming to initiate the transfer of funds, and stealing money from their bank accounts using different fraud tactics. This suggests that scammers attempt to deceive and defraud their targets for financial gain.

Conclusion

The reward scam began in late 2020 and targeted various Indian banking users through different themes. Recently, CRIL noticed that the scammers behind the reward scam have started monitoring users’ refund complaints on social media to identify potential victims and steal their funds using various techniques. This demonstrates how cybercriminals are constantly finding new ways to exploit people’s online activity and use it to their own benefit.

It is important for users to be aware of these scams and to be cautious when providing personal information or downloading files online.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • IRCTC or other legitimate organizations never ask for a Card PIN or UPI PIN with other banking information; avoid sharing such information over call.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
Initial AccessT1476Deliver Malicious App via Other Means.
PersistenceT1402

 
Broadcast Receivers
CollectionT1412Capture SMS Messages
ExfiltrationT1567Exfiltration Over Web Service

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
f952c05d9df163cdc96938222c197ea10c9250b3e548a880b0c52faa9c4d6e28SHA256  Hash of malicious APK
bf0cbcea2df55ca0a0bdebec8f615bb71eba4636SHA1  Hash of malicious APK
f4a6093132a4765ffe9115f3bb386f6bMD5Hash of malicious APK
hxxps://mycomplainquery[.]inURLAndroid Malware Distribution URL & C&C server

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top