Executive Summary

CloudSEK’s Threat Intelligence team uncovered a new attack vector for soiling the brand reputation of organizations by supplementing existing scam infrastructure.

Threat Actors have always been on the lookout for ways that they can use to make their scam operations seem legitimate. Historically, we have seen that even if the Fake Domain or the scam domain might seem very real the end goal of the threat actor is receiving money from the victims. A simple check generally reveals if the payment is actually going to the desired organization or not.

In this attack vector lack of verification of the name of the organization while registering a merchant account using a payment provider makes it fairly tough for a victim to differentiate between a legitimate and illegitimate merchant VPA/transaction.

Qwiklabs is a cloud-based platform that offers hands-on learning experiences for developers and IT professionals. It provides temporary credentials to Google Cloud Platform (GCP) and other cloud platforms, allowing users to practice their skills in real-world environments. Although the intended use of the temporary credentials is learning GCP skills, threat actors are abusing this to add a layer of obscurity by using these credentials to create merchant accounts.

‍

Analysis and Attribution

We uncovered the following while investigating this attack vector:

The screenshot on the right is an authorized reseller of Apple in India and all the details are verifiable, which includes the Mobile number, Email information as well as the Website. Whereas, the screenshot on the left is a scam merchant account because of the following reasons:

The Website button opens https://accounts.google.com which is not related to Apple
The contact email address is a temporary account provided while signing for qwiklabs

*Screenshot of how we can see the Email of the merchant account*

‍

Why Qwiklabs ?

Qwiklabs is used because while creating a Gmail account and signing up for pay.google.com to setup merchant transactions a Phone Number verification is required which can land a threat actor in trouble. While signing up for qwiklabs the following are required -

A company email
Full Name
Birth Date
Password

‍

Please Note - A temporary inbox provider like temp-mail.org can be used to fill in the company email.

‍

Once an attacker has signed in to the portal they can choose a learning path which contains a hands-on learning lab, for that qwiklabs gives temporary access to gmail inbox. This Gmail inbox is then used to set up a merchant UPI ID without the use of a phone number.

‍

The above account was created without divulging any personal information.

‍

Advantages of this method

Divulging little to no information throughout the signing up process
Setting up an account with a business name very similar to a brand the attacker is targeting as shown above.
UPI infrastructure can also be used to request a transaction from the victim
From 2023 Merchants can also request for EMI payments from the victims, hence a user just needs to fall for the scam once and the mandate of payment will be established.
An attacker can create numerous temporary mail boxes using the qwiklabs method.
It will be very difficult for a victim to identify a fraudulently initiated transaction.
A threat actor can also generate a targeted brand specific VPA(Virtual Private Address) alias, as of now one bank account allows for 4 aliases.

‍

Precautions

A User can take following precautions to be safe from this type of elaborate scheme:

Always check the final transaction amount being requested by merchant
Check the contact details of the merchant you are transferring money
Always check if the merchant has requested for a mandate being set, this would drain the victim’s account monthly without putting in the UPI pin again and again.
Always check if the merchant is a verified merchant

‍