During the 2019 — 2020 holiday season, XVigil identified several phishing sites targeting popular eCommerce companies. Many of the domains were registered in December and were subsequently taken down after Christmas or New Year. This indicates that the sites’ main targets were shoppers, eager to avail holiday discounts.
Detection of phishing sites
XVigil’s fake domain finder monitors the web for fake or similar looking domains that might infringe on a brand. When we calibrated XVigil to monitor Indian eCommerce companies, we detected a wide range of phishing domains.
Examples of sites detected by XVigil:
hxxp://paytm-megaoffer.com*
hxxp://wowbuzz4.com/pytm_mall*
hxxp://paytmmallcart.com*
hxxp://flipkart-loot-offers.com*
hxxp://newyearflipkart.com*
hxxp://flpkartchrismus.com*
hxxp://amaazon.club*
hxxp://amozonsale.online*
hxxp://amaz-onofferzz.in*
Overall Investigation
- Firstly, we ascertained the phishing sites’ domain details, including the server, IP, registrant, and admin.
- Prima facie, we were able to determine that the sites had certain similarities:
- Irrespective of the eCommerce site being targeted, the most common payment platform was Paytm payment gateway.
- Many of sites, including 2 Paytm phishing sites (hxxp://paytm-megaoffer.com* , hxxp://wowbuzz4.com/pytm_mall*) were hosted on the same IP. So, both the sites could be the work of the same scammer/ group of scammers.
- Some sites, though not hosted on the same server, share overall website design, look and feel, site navigation, and data input methods.
Paytm phishing analysis
- The sites appear familiar and trustworthy because:
- The look and feel of the sites are similar to the official Paytm site.
- Usage of Paytm logo.
- Transacting through the widely trusted Paytm payment gateway.
- The sites list a limited number of products, but at highly discounted prices. For example: the listed price of the iPhone 11 is INR 5999. And there is a countdown that indicates the offer is valid only for the next few minutes. These factors make it tempting, for even the most discerning of customers, to make hasty purchases.
- The following characteristics of the sites are proof of the scammers’ rudimentary technical skills:
- Presence of default or dummy content.
- Poor web design features such as blurred images and grammatical errors.
- Poor coding practices such as the absence of validation of details entered in the phone number and pin code fields.
- The conspicuous lack of https certification.
- Limited product catalogue.
- Unbelievably low pricing.
Figure 2: Dummy content in the blog section of hxxp://paytmmallcart.com*
How the phishing sites work
The shopper browses the site and adds the product to the cart.
The billing section collects the customer’s personal details including phone number, email id, and address. The scammers could use these details to devise other fraudulent schemes.
The customer is directed to the payment page.
The customer then lands on the Paytm payment gateway to complete the transaction.
Paytm Payment Gateway Analysis
Many phishing sites, irrespective of the eCommerce company they are targeting, use the Paytm payment gateway. It is notable that there are merchants registered with fake names such as ‘for’. One of the merchants goes by ‘One Communications’. The name closely mimics One97 Communications, which is Paytm’s parent company; lending the site an air of legitimacy.
From the source code of the payment pages we identified the following merchant details:
- hxxp://paytm-megaoffer.com*
Merchant: One Communications
MID: kRdXWH24078674748775 - hxxp://paytmmallcart.com*
Merchant Name: for
MID: GPZvOS78323169981271 - hxxp://flipkart-loot-offers.com*
Merchant: Online Mobile Shop
MID: kLJwiy42558605770665 - hxxp://newyearflipkart.com*
Merchant: Lucky Mobile And Lamination
MID: nixGaL07658395498481
Source Code Analysis
- We analysed the source codes of both the sites and discovered that hxxp://paytm-megaoffer.com* was importing the hxxp://wowbuzz4.com/pytm_mall* source code.
- It was found that hxxp://paytm-megaoffer.com* and hxxp://wowbuzz4.com/pytm_mall* have the same Google Analytics ID (UA-131481750-1). It is uncommon for 2 unrelated sites to have the same Google Analytics ID.
This indicates that both the sites belong to the same scammer/ group of scammers.
Attribution
The contact details used to register hxxp://paytmmallcart.com* are not available, and that of hxxp://wowbuzz4.com/pytm_mall* cannot be traced back to any person or organization. However, hxxp://paytm-megaoffer.com* can be traced back to Parate Traders, a business in Nagpur.
Despite having different name servers, hxxp://wowbuzz4.com/pytm_mall* and hxxp://paytm-megaoffer.com* are hosted on the same IP. Therefore, whoever runs hxxp://paytm-megaoffer.com*, is likely responsible for hxxp://wowbuzz4.com/pytm_mall* also.
Impact of phishing
Phishing scams are the oldest and most rampant type of cyber threats. They are fairly simple to orchestrate, but have the potential to severely impact a company’s reputation and revenue.
Apart from the targeted eCommerce companies, phishing also damages the reputation of the payment gateway that facilitates the fraud. Paytm for Business enables a variety of online and offline transactions. Hence its reputation, among shoppers and legitimate merchants, will be tarnished by the concerted misuse.
We found a social media poster who claims to have lost money to a Paytm phishing site. Other than the immediate loss of money, users could become victims of other scams that leverage the personal details, collected via the phishing sites.
Mitigation
Considering how easy it is to buy a domain, phishing cannot be tackled by taking down pages or sites. Also, companies often detect phishing sites, only after users have been affected. To begin with, eCommerce companies should proactively monitor and take down phishing sites. In addition, Paytm should also disable/block the scammers’ Paytm for Business accounts. This will hinder transactions on all phishing sites that use the same merchant accounts.
In the long term, eCommerce companies should identify and counteract the servers that host these phishing sites. Furthermore, they should also take action against scammers, whom they can identify, by leveraging the domain details and MIDs.
Conclusion
Phishing sites such as hxxp://paytm-megaoffer.com*, hxxp://wowbuzz4.com/pytm_mall*, and hxxp://paytmmallcart.com*, are not anomalies. When combined with the misuse of Paytm payment gateway, these scams indicate, a concerted effort to exploit Paytm and its users.
A company’s brand image is the fruit of sustained effort and strategic planning. However, it takes only one malicious attack, to undo the hard won trust and goodwill of their customers. And any damage to this intangible asset can have serious and far-reaching consequences.
A continuous monitoring tool, such as CoudSEK’s XVigil, helps companies sustain continual brand scan, to effectively combat fake pages, impostors, rogue applications, and domains.
*Note: All http links have been obfuscated to hxxp to avoid spam alerts. [/vc_column_text][/vc_column][/vc_row]