FASTag Phishing Campaigns Flourish on Social MediaWith FASTag, toll collection is the latest of our everyday services that has gone digital. And, as is their wont, cyber criminals have already figured out ways to exploit it. FASTag, which is an Electronic Toll Collection (ETC) instrument, is mandated by the Government of India, for all vehicles passing through toll booths across the country. Considering the growing adoption, combined with users’ limited experience, it is not surprising that scammers are launching phishing campaigns by employing novice social engineering approaches.
In this article, we explore the different types of phishing campaigns and the channels that facilitate them.
FASTag Phishing Campaigns
Though FASTag is a straightforward service, there are several avenues, ranging from distribution to after-sales support, through which scammer can exploit it.
Scammers are defrauding people in the following ways:
- Selling fake FASTags
- Recruiting other scammers
- Selling FASTag distributor rights
- Operating fake helpline numbers
- Providing unblocking services for blacklisted FASTags
Scammers are delivering these campaigns via:
- Social media
- Online marketplaces
- Chat platforms
- Deep web sites
- Surface web sites
We will investigate each of these scamming methods and the channels used to facilitate them. While FASTag scammers are present across the internet, they are especially active on social media because of how easy it is to create accounts and conceal their identities.
Selling Fake FASTags
Social media
There are social media profiles, personally promoting the “FASTag” project implementation (especially in local languages), even though they are not officially authorized or connected to the project.
Some accounts are also offering services on behalf of authorized FASTag banking partners, by advertising the bank’s name along with their personal contact numbers. Since we cannot verify if such individuals are authorized to act on behalf of these financial institutions, it is best to avoid responding to their posts, to avail their services.
There are also social media posts that are promising free FASTags and FASTag services, even though the actual price is INR 500. However, they appear trustworthy to the general public because some of these campaigns include genuine images.
Since FASTag became mandatory on 1st December 2019, we have observed phishing emails, delivered from various networks, to personal email IDs. Many of these campaigns use the classical approach of furnishing lookalike “from” names. In this case, ‘FASTag’, in some form, appears in the name of the sender. The domain name of the email is only visible when we purposely expand the ‘from’ address. This allows scammers to mislead receivers of the emails, since we don’t generally inspect the sender’s complete email address.
As seen above, the sender’s name is ‘Axis FASTag’ and only on closer inspection, we notice that the email id is: [email protected] and the domain name is: indiafamous.info. And, the website’s location is listed as Bihar. It is safe to assume that the below email is a phishing attempt. (We have noticed that previous phishing campaigns targeting NPCI, were also mapped to the same location).
Online marketplaces
Given the size of the targeted audience, scammers will not spare any platform through which they can prey on the public.
Here is a case of an OLX listing that is advertising Axis Bank’s FASTag service.
Further investigation threw up listings like the ones below, in which the prices have been inflated. By inflating and then reducing the price of the tags, scammers are trying to make their proposition more attractive. This is a major red flag that is indicative of a phishing campaign.
We also observed that some of the vendors are offering free GPS along with the tags. And the tags themselves are listed at prices lower than the actual cost of INR 500. But, it is not clear from the listing, if a standalone GPS comes free with the purchase of a FASTag.
As seen from the below post, in which a vendor ‘Vivek Shukla’ from UP, has listed FASTag as “Fastage” along with a GPS app. The app is not officially associated with FASTag.
Deep web campaigns
We have spotted a series of phishing campaigns on various blogs and deep web sites. These advertisements offer FASTag services by using the names of popular banks such as Axis Bank, HDFC Bank, etc.
Chat platforms:
These campaigns are being widely spread through chat platforms such as Sharechat as well.
On clicking the link, the page is redirected to an ad-hosted campaign which is not connected with Axis Bank FASTag services. And visiting these malicious links makes the visitor’s device vulnerable to malicious software, such as adware or other PUPs (Potentially Unwanted Programs). This, in turn, creates a backdoor to all vital information on the device and helps scammers fund other malicious campaigns they run.
Moreover, on analysing the details of the page through Virus Total, it was found to be listed as spam.
Ad campaigns on other sites
We spotted ad campaigns on other unrelated websites such as a music download service. Through which unwary users can be clickjacked to phishing sites.
Surface web sites
The official way to buy FASTags is via NPCI , authorized banking partners such as ICICI or HDFC, wallet partners such as UPI Airtel Payments, or authorized vendors. Yet there are similar looking domains, registered to individuals, that are masquerading as official vendors of FASTag.
Some of the fraudulent sites:
| Fraudulent sites | Registrant details |
|---|---|
| Fastagindia.com |
|
|
Fastagindia.org |
|
| fas-tag.com |
|
|
http://fastag.app/ and http://fastag.in |
|
| fastag.co.in |
|
Though the above mentioned sites are not functional at the moment, there is a chance that they may become available at any time, to host phishing campaigns, by assuming an air of legitimacy.
These are only a few examples of domains that use some version of “fastag” in their name. There are many more, yet to be listed or found. Some of these domain names, which have not been bought yet, are available at cheap prices.
Recruiting other scammers
While scammers directly exploit new FASTag users, they also attempt to recruit other people to carry out such campaigns. Here are examples of such posts, from a private Facebook group, in which a scammer has advertised FASTag as an opportunity to make money.
Selling FASTag distributor rights
Authorized sales and service providers/vendors employ agents to sell and top-up FASTags. However, we have observed the presence of unauthorized people, on closed Facebook groups, who are selling free agent IDs. Which is why, FASTags procured from 3rd party agents, may or may not be genuine.
Here are some examples of Facebook posts offering free Agents IDs.
Operating fake FASTag helpline numbers
There are posts on social networking sites that are advertising phone numbers and email ids that are not the official FASTag support contacts. They offer to set up FASTags or provide other related support. Calling such numbers is a sure-fire way to get defrauded.
We also found several unofficial social media accounts listing email ids that mimic the official email contact and vendor names. For example: [email protected] contains “FASTag” and “HDFC”. Thus, setting up a honeypot, for unsuspecting people looking for genuine support.
Email ID: [email protected], [email protected]
Phone Number: 9823017946
Another phishing email id was mentioned as a point of contact on a flagged website. The website promotes this email id for any issues related to FASTag.
Email ID: [email protected]
As observed from the above post, threat actors are advertising FASTag at a discounted price of INR 300, even though the original price of INR 500. Subsequently, people tempted by such offers, call these numbers, and become easy victims.
A well-crafted poster appeals to the general public as advertisements for reliable/ legitimate services. Upon investigation, we found that the service provider ‘Aveon’ does not have an official website.
Providing unblocking services for blacklisted FASTags
As with any new service, FASTag has a few ongoing issues. Some tags appear as ‘blacklisted,’ while passing through the toll gate, even though there is sufficient balance in the owner’s wallet. Consequently, scammers are exploiting this loophole in the system, by launching a campaign that offers unblocking of “blacklisted” tags.
How do we avoid becoming victims?
In conclusion, these examples are just a tip of the iceberg, in the zeitgeist of ongoing scams. But they clearly show that if we, as end users of FASTag, are not vigilant, we can become easy victims of these malicious campaigns.
End user precautions:
- Don’t rely on individual vendors. Instead, buy FASTags from NTEC or from other official banks.
- Don’t reveal OTPs received on your phone to anyone via call, or in person.
- Never fill forms found on blogs or websites with look-alike domains that include the keyword “fastag”.
- Never click on hyperlinks provided in phishing emails, especially with subject lines such as “Free FASTag” etc.
- Avoid calling random toll free numbers, especially those flashed on third party websites/blogs. And, reach out to NTEC or Official Bank Helplines, for support.
- Above all, don’t post or tweet any of your personal/transaction details (if you have not received your FASTag after applying for it). As this would help fraudsters customize their approach based on your specific problem.
