FASTag Phishing Campaigns Flourish on Social Media

FASTag Phishing Campaigns Flourish on Social MediaWith FASTag, toll collection is the latest of our everyday services that has gone digital. And, as is their wont, cyber criminals have already figured out ways to exploit it. FASTag, which is an Electronic Toll Collection (ETC) instrument, is mandated by the Government of India, for all vehicles passing through toll booths across the country. Considering the growing adoption, combined with users’ limited experience, it is not surprising that scammers are launching phishing campaigns by employing novice social engineering approaches.

In this article, we explore the different types of phishing campaigns and the channels that facilitate them. 

FASTag Phishing Campaigns

Though FASTag is a straightforward service, there are several avenues, ranging from distribution to after-sales support, through which scammer can exploit it. 

Scammers are defrauding people in the following ways:

  • Selling fake FASTags 
  • Recruiting other scammers
  • Selling FASTag distributor rights
  • Operating fake helpline numbers
  • Providing unblocking services for blacklisted FASTags

Scammers are delivering these campaigns via: 

  • Social media
  • Email
  • Online marketplaces
  • Chat platforms
  • Deep web sites
  • Surface web sites

We will investigate each of these scamming methods and the channels used to facilitate them. While FASTag scammers are present across the internet, they are especially active on social media because of how easy it is to create accounts and conceal their identities. 

Selling Fake FASTags

Social media 

There are social media profiles, personally promoting the “FASTag” project implementation (especially in local languages), even though they are not officially authorized or connected to the project. 

Facebook post advertising FASTag
Facebook post advertising FASTag

Some accounts are also offering services on behalf of authorized FASTag banking partners, by advertising the bank’s name along with their personal contact numbers. Since we cannot verify if such individuals are authorized to act on behalf of these financial institutions, it is best to avoid responding to their posts, to avail their services.

Post on a closed Facebook group advertising by including NPCI and HDFC
Post on a closed Facebook group advertising by including NPCI and HDFC

There are also social media posts that are promising free FASTags and FASTag services, even though the actual price is INR 500. However, they appear trustworthy to the general public because some of these campaigns include genuine images.

Post offering free FASTags
Posts offering free FASTags

Email 

Since FASTag became mandatory on 1st December 2019, we have observed phishing emails, delivered from various networks, to personal email IDs. Many of these campaigns use the classical approach of furnishing lookalike “from” names. In this case, ‘FASTag’, in some form, appears in the name of the sender. The domain name of the email is only visible when we purposely expand the ‘from’ address. This allows scammers to mislead receivers of the emails, since we don’t generally inspect the sender’s complete email address.  

"<yoastmark

As seen above, the sender’s name is ‘Axis FASTag’ and only on closer inspection, we notice that the email id is: info@indiafamous.info and the domain name is:  indiafamous.info. And, the website’s location is listed as Bihar. It is safe to assume that the below email is a phishing attempt. (We have noticed that previous phishing campaigns targeting NPCI, were also mapped to the same location).

"<yoastmark

Online marketplaces

Given the size of the targeted audience, scammers will not spare any platform through which they can prey on the public. 

Here is a case of an OLX listing that is advertising Axis Bank’s FASTag service.

FASTag advertisement on OLX
FASTag advertisement on OLX

Further investigation threw up listings like the ones below, in which the prices have been inflated. By inflating and then reducing the price of the tags, scammers are trying to make their proposition more attractive. This is a major red flag that is indicative of a phishing campaign. 

FASTag advertisements with inflated prices
FASTag advertisements with inflated prices

We also observed that some of the vendors are offering free GPS along with the tags. And the tags themselves are listed at prices lower than the actual cost of INR 500. But, it is not clear from the listing, if a standalone GPS comes free with the purchase of a FASTag.  

"<yoastmark

As seen from the below post, in which a vendor ‘Vivek Shukla’ from UP, has listed FASTag as “Fastage” along with a GPS app. The app is not officially associated with FASTag.

FASTag sold with an unofficial GPS app
FASTag sold with an unofficial GPS app

Deep web campaigns

We have spotted a series of phishing campaigns on various blogs and deep web sites. These advertisements offer FASTag services by using the names of popular banks such as Axis Bank, HDFC Bank, etc.

Chat platforms:

These campaigns are being widely spread through chat platforms such as Sharechat as well.

FASTag advertisements on Sharechat
FASTag advertisements on Sharechat

On clicking the link,  the page is redirected to an ad-hosted campaign which is not connected with Axis Bank FASTag services. And visiting these malicious links makes the visitor’s device vulnerable to malicious software, such as adware or other PUPs (Potentially Unwanted Programs). This, in turn, creates a backdoor to all vital information on the device and helps scammers fund other malicious campaigns they run.

Malicious links that make visitors vulnerable
Malicious links that make visitors vulnerable

Moreover, on analysing the details of the page through Virus Total, it was found to be listed as spam. 

VirusTotal results indicating that the advertisement is a spam
VirusTotal results indicating that the advertisement is a spam

Ad campaigns on other sites

We spotted ad campaigns on other unrelated websites such as a music download service. Through which unwary users can be clickjacked to phishing sites.

FASTag ad campaign on a music download service
FASTag ad campaign on a music download service

 

Surface web sites 

The official way to buy FASTags is via NPCI , authorized banking partners such as ICICI or HDFC, wallet partners such as UPI Airtel Payments, or authorized vendors. Yet there are similar looking domains, registered to individuals, that are masquerading as official vendors of FASTag.

Some of the fraudulent sites:

Fraudulent sites  Registrant details
Fastagindia.com  

  • Street: Door No. 583, Flat no G-100
  • City: Bengaluru
  • State/Province: Karnataka
  • Postal Code: 560077
  • Country: India
  • Phone: +91 9884718277
  • Email: ayushenterprisespvtltd@gmail.com
  • Admin Name: Ayush Enterprises
 

  Fastagindia.org

 

  • Registry ID: CR383877867
  • Name: Satheesh Kumar RST
  • Organization: GOLDEN COMMUNICATION
  • Street: 306, Thangam Complex, T.H. Road,
  • Street: New Washermenpet
  • City: Chennai
  • State/Province: Tamil Nadu
  • Postal Code: 600081
  • Country: IN
  • Phone: +91 8608330505
  • Email: rechargedesk@gmail.com
 fas-tag.com   

  • Name: DARSHANKUMAR BHANUSHALI
  • Street: Gujarat
  • Street: Vapi
  • City: Vapi
  • State/Province: Gujarat
  • Postal Code: 396191
  • Country: IN
  • Phone: +91 9016626456
  • Email: bhanushalidarshan5@yahoo.com
 

http://fastag.app/ and http://fastag.in 

 

  • Registry ID: CR397133995
  • Name: sankarsh reddy
  • Organization: SANKARSH REDDY
  • Street: PLOT#142, ROAD#72, JUBILEE HILLS
  • City: HYDERABAD
  • State/Province: Telangana
  • Postal Code: 500033
  • Country: IN
  • Phone: +91.4023551902
  • Email: reddy.sankarsh@gmail.com
 fastag.co.in  

  • Registry ID: CR358608589
  • Name: Gaganjot Singh
  • Street: Ludhiana
  • City: Ludhiana
  • State/Province: Punjab
  • Postal Code: 141008
  • Country: IN
  • Phone: +91.9876700544
  • Email: singh.gaganjot@gmail.com
  • Admin ID: CR358608596
  • Admin Name: Gaganjot Singh

Though the above mentioned sites are not functional at the moment, there is a chance that they may become available at any time, to host phishing campaigns, by assuming an air of legitimacy. 

These are only a few examples of domains that use some version of “fastag” in their name. There are many more, yet to be listed or found. Some of these domain names, which have not been bought yet, are available at cheap prices.

Lookalike sites available at low prices
Lookalike sites available at low prices

Recruiting other scammers

While scammers directly exploit new FASTag users, they also attempt to recruit other people to carry out such campaigns. Here are examples of such posts, from a private Facebook group, in which a scammer has advertised FASTag as an opportunity to make money. 

Social media posts advertising FASTag as an opportunity to make money
Social media posts advertising FASTag as an opportunity to make money

Selling FASTag distributor rights

Authorized sales and service providers/vendors employ agents to sell and top-up FASTags. However, we have observed the presence of unauthorized people, on closed Facebook groups, who are selling free agent IDs. Which is why, FASTags procured from 3rd party agents, may or may not be genuine.

Here are some examples of Facebook posts offering free Agents IDs. 

Post exhorting people to become FASTag distributors
Post exhorting people to become FASTag distributors

 

Post exhorting people to sell FASTag
Post exhorting people to sell FASTag

Operating fake FASTag helpline numbers

There are posts on social networking sites that are advertising phone numbers and email ids that are not the official FASTag support contacts. They offer to set up FASTags or provide other related support. Calling such numbers is a sure-fire way to get defrauded.  

Fake number that includes Paytm to add legitimacy
Fake number that includes Paytm to add legitimacy

We also found several unofficial social media accounts listing email ids that mimic the official email contact and vendor names. For example: fastag.hdfcbank@insolutionsglobal.com contains “FASTag” and “HDFC”. Thus, setting up a honeypot, for unsuspecting people looking for genuine support. 

Posts spreading fake emails and phone numbers
Posts spreading fake emails and phone numbers

 

Example of someone who has reached out to the fake email id for genuine support
Example of someone who has reached out to the fake email id for genuine support

Email ID: onthespot.fastag@gmail.com, virajpathak@gmail.com

Phone Number: 9823017946

Another phishing email id was mentioned as a point of contact on a flagged website. The website promotes this email id for any issues related to FASTag.

Email ID: paytmfastag@gmail.com

Flagged website hosting phishing email id
Flagged website hosting phishing email id

As observed from the above post, threat actors are advertising FASTag at a discounted price of INR 300, even though the original price of INR 500. Subsequently, people tempted by such offers, call these numbers, and become easy victims.

Aveon, advertised as a service provider, has no website
Aveon, advertised as a service provider, has no website

A well-crafted poster appeals to the general public as advertisements for reliable/ legitimate services. Upon investigation, we found that the service provider ‘Aveon’ does not have an official website.

Providing unblocking services for blacklisted FASTags

As with any new service, FASTag has a few ongoing issues. Some tags appear as ‘blacklisted,’ while passing through the toll gate, even though there is sufficient balance in the owner’s wallet. Consequently, scammers are exploiting this loophole in the system, by launching a campaign that offers unblocking of “blacklisted” tags. 

"<yoastmark

Facebook post offering unblocking service
Facebook post offering unblocking service

How do we avoid becoming victims?

In conclusion, these examples are just a tip of the iceberg, in the zeitgeist of ongoing scams. But they clearly show that if we, as end users of FASTag, are not vigilant, we can become easy victims of these malicious campaigns.  

End user precautions:

  • Don’t rely on individual vendors. Instead, buy FASTags from NTEC or from other official banks.
  • Don’t reveal OTPs received on your phone to anyone via call, or in person.
  • Never fill forms found on blogs or websites with look-alike domains that include the keyword “fastag”. 
  • Never click on hyperlinks provided in phishing emails, especially with subject lines such as “Free FASTag” etc. 
  • Avoid calling random toll free numbers, especially those flashed on third party websites/blogs. And, reach out to NTEC or Official Bank Helplines, for support.
  • Above all, don’t post or tweet any of your personal/transaction details (if you have not received your FASTag after applying for it). As this would help fraudsters customize their approach based on your specific problem. 

 

Dark Web and ATM Hacking

The dark web, which is a component of the deep web, is the nesting ground of online, as well as offline criminal activities. Though most of us have a general understanding of the dark web, we are still unaware of the specific activities it facilitates, and how it affects us on a daily basis.

ATMs are a common part of our everyday lives, yet we know little about how ATMs can be exploited, by even the most novice of attackers. At CloudSEK, we have unearthed a range of techniques and devices, that are used and sold on the dark web, for the purpose of hacking ATMs. 

There used to be a time when hacking an ATM required sophisticated skills and tools. Not anymore. We have encountered amateurs with rudimentary skills, who have hacked ATMs, using the tools and tutorials available on dark web marketplaces. This is possible because the devices sold on the dark web come with detailed instruction manuals. And most of these devices can be operated remotely, using an Antenna, to target systems that run on basic Windows XP. 

ATM Malware Card

On the dark web, anybody can buy an ATM Malware Card, that comes with the PIN Descriptor, Trigger Card and an Instruction Guide. This manual provides step-by-step instructions on how to use the card to suspend cash from ATM machines. Once the ATM Malware card is installed in the ATM, it captures card details of all the customers who subsequently use the ATM. The Trigger card is then used to dispense cash from ATMs.

(Fig.1: Screenshot of dark web shopping site: ATM Malware Card with product description)
(Fig.1: Screenshot of dark web shopping site: ATM Malware Card with product description)

The image above, shows the product description provided on dark web marketplaces, to advertise the features and benefits. This malware mainly targets ATM machines that run on Windows XP. This card is capable of drawing out all the money that is available in the affected machine; which could amount to as much as $500,000. The product description is so detailed that even a layman can use it to hack an ATM. 

USB ATM Malware 

Another prevalent method to fraudulently dispense cash from ATM Machines, is by infecting them with a Malware hosted USB drive. This method also targets  machines that run on Windows XP. 

 

(Fig.2: Screenshot of dark web shopping site: USB ATM Malware with product description)
(Fig.2: Screenshot of dark web shopping site: USB ATM Malware with product description)

This image describes the product in simple words, with details about what files are contained in the USB drive, and instructions on how to use it to orchestrate an attack.

ATM SKIMMER SHOP (ALL IN ONE)

Apart from individual sellers, there are also online shops that sell such products. One such shop is the ATM Skimmer Shop (all in one), that offers ATM hacking appliances such as EMV Skimmers, GSM Receivers, ATM Skimmers, PoSs, Gas Pumps, Deep Inserts, etc. 

(Fig.3: Screenshot of ATMSKIMMER Shop on the dark web)
(Fig.3: Screenshot of ATMSKIMMER Shop on the dark web)

The same shop also offers prepaid credit cards with high balances at different price points. The shop also updates and stocks itself with the latest cracking devices released in the market, such as POS Terminals, Upgraded Antenna, custom-made ATM Skimmers, RFID Reader/Writer, etc. This shop was previously available on the surface web, but is now available only on the dark web. Here, hacking devices that need be physically attached to ATM machines, such as the ATM Insert Skimmer or Deep insert, are also sold

 

(Fig.4: Screenshot of dark web shopping site: Deep Insert with product description)
(Fig.4: Screenshot of dark web shopping site: Deep Insert with product description)

The image above describes the benefits of using an insert skimmer to hack an ATM. It is advertised as a “plug and play” product, implying that it is a ready-to-use product. 

Anyone who has access to the dark web and this shop, can order any of their products, hassle-free. Another such online shopping site is the Undermarket that claims to sell bank fullz and physical bank cards on their platform. 

(Fig.5: Screenshot of Undermarket forum posts suggesting the availability of Fullz)
(Fig.5: Screenshot of Undermarket forum posts suggesting the availability of Fullz)

There are underground hacking forums that discuss and sell tutorials on how to hack bank accounts using Botnets, and other such topics. Forums such as Optimus Store, sell these malicious files for $100. 

(Fig.6: Screenshot of dark web forum: Files that aid hacking put for sale)
(Fig.6: Screenshot of dark web forum: Files that aid hacking put for sale)

A recently uncovered, active ATM Jackpotting method that uses a malware, is called Ploutus-D. It works by compromising components of a well-known multivendor ATM software, to gain control over hardware devices such as dispensers, card readers, and pin pads. It allows the hacker to suspend all the cash from affected machines, in a few minutes. The source code for this malware, along with instructions on how to use it, are sold on the dark web.

(Fig.7: Screenshot of shopping site on the dark web: Ploutus-D added to cart)
(Fig.7: Screenshot of shopping site on the dark web: Ploutus-D added to cart)

 

Be Vigilant

As hacking tools and techniques become ubiquitous, it is important to be aware and vigilant, by understanding new and sophisticated trends in hacking, and how you can defend yourself against them. 

About XVigil

XVigil Solutions provide organizations unified supervision across the internet, their brand, and their infrastructure. It yields analytics and actionable intelligence, needed to tackle external threats, by deploying comprehensive security scans and monitors.

See how XVigil has helped businesses across the globe combat digital risks: https://cloudsek.com/customers/

Learn more about XVigil: https://cloudsek.com/

Opera (Presto) Source Code Leaked on Dark Web

by Rakesh Krishnan

Leaking the source code of the proprietary tools is not a new scenario in the cyber threat arena. Recently, Windows 10 source code was leaked into “Beta Archives’ FTP”; (later removed) which is an active discussion forum on Windows Releases.

Sometimes, it may be an Insider Threat (Breach) or other times, it may be an Intrusion which ultimately classified into “Leaks”.

Few months ago, the source code of the proprietary tool named “Presto”- a browser layout engine used by Opera, was leaked in January 2017 into a code sharing site “GitHub” and later to “BitBucket”. Although Opera is recognized as an open source material in the outer world; the layout engine which they were using earlier was a proprietary product inside the Opera Community.

It was taken down immediately by the DMCA Takedown Request filed by Opera; the complete packages had been removed from multiple code sharing platforms like GitHub and BitBucket.

The netizens had expressed their notion against the takedown of Presto Engine; expressing their views to open source the product; voicing through social media platforms like Reddit and other online forums; but no response hit back.

 

BACK ON TOR

The whole repository of Presto Engine had come live in the TOR network sited as http://xxxxxxxx5q5s4urp.onion/.

This onion site also provided the ways to download the entire package (which is huge) using the following wget command:

wget -m http://xxxxxxxx5q5s4urp.onion/

In case, if any error occurs while mirroring/downloading the complete onion domain; the site had also facilitated it by subdividing each branch; hence making it into archives format: http://xxxxxxxx5q5s4urp.onion/browser.git/, so that clone command can be used effectively as:

git clone xxxxxxq5s4urp.onion/browser.git

During an investigation, it was found that the onion site had been created on 20th December, 2017 and is hosted on an unstable Nginx server. It was accessible at some time; which makes it unstable.

Hosting the leak in the deep web is a clever method to evade the take downs from DMCA or other legal entities, as the onion domains will not be tracked; and can’t break until it is attacked by any means like DDoS.

Presto was being used by Opera till 2013; switched to WebKit engine.

Although the source code had been in no use; still it can be referenced by anyone to analyze the methods in the Opera community; hence the future proprietary apps from Opera could be using the same strategy for the development.

CloudSEK is a Unified Risk Management Platform. Our AI/ML technology based products XVigil and CloudMon monitor threats originating from the Web, DarkWeb, Deep Web,  Web applications etc.. and provide real time alerts.