Adversary Intelligence
8
mins read

Exposing Qwiklabs Email Misuse in Sneaky Payment Scams involving setting up UPI merchant accounts

CloudSEK’s Threat Intelligence team uncovered a new attack vector for soiling the brand reputation of organizations by supplementing existing scam infrastructure.

Anirudh Batra
January 17, 2024
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

CloudSEK’s Threat Intelligence team uncovered a new attack vector for soiling the brand reputation of organizations by supplementing existing scam infrastructure.

Threat Actors have always been on the lookout for ways that they can use to make their scam operations seem legitimate. Historically, we have seen that even if the Fake Domain or the scam domain might seem very real the end goal of the threat actor is receiving money from the victims. A simple check generally reveals if the payment is actually going to the desired organization or not.

In this attack vector lack of verification of the name of the organization while registering a merchant account using a payment provider makes it fairly tough for a victim to differentiate between a legitimate and illegitimate merchant VPA/transaction.

Qwiklabs is a cloud-based platform that offers hands-on learning experiences for developers and IT professionals. It provides temporary credentials to Google Cloud Platform (GCP) and other cloud platforms, allowing users to practice their skills in real-world environments. Although the intended use of the temporary credentials is learning GCP skills, threat actors are abusing this to add a layer of obscurity by using these credentials to create merchant accounts.

Analysis and Attribution

We uncovered the following while investigating this attack vector:

                         

  

The screenshot on the right is an authorized reseller of Apple in India and all the details are verifiable, which includes the Mobile number, Email information as well as the Website. Whereas, the screenshot on the left is a scam merchant account because of the following reasons:

  1. The Website button opens https://accounts.google.com which is not related to Apple
  2. The contact email address is a temporary account provided while signing for qwiklabs

                     

Screenshot of how we can see the Email of the merchant account

Why Qwiklabs ?

Qwiklabs is used because while creating a Gmail account and signing up for pay.google.com to setup merchant transactions a Phone Number verification is required which can land a threat actor in trouble. While signing up for qwiklabs the following are required - 

  1. A company email
  2. Full Name
  3. Birth Date
  4. Password

Please Note - A temporary inbox provider like temp-mail.org can be used to fill in the company email.

Once an attacker has signed in to the portal they can choose a learning path which contains a hands-on learning lab, for that qwiklabs gives temporary access to gmail inbox. This Gmail inbox is then used to set up a merchant UPI ID without the use of a phone number.

MindMap of how the scam operates

The above account was created without divulging any personal information.

Advantages of this method

  1. Divulging little to no information throughout the signing up process
  2. Setting up an account with a business name very similar to a brand the attacker is targeting as shown above.
  3. UPI infrastructure can also be used to request a transaction from the victim
  4. From 2023 Merchants can also request for EMI payments from the victims, hence a user just needs to fall for the scam once and the mandate of payment will be established.
  5. An attacker can create numerous temporary mail boxes using the qwiklabs method.
  6. It will be very difficult for a victim to identify a fraudulently initiated transaction.
  7. A threat actor can also generate a targeted brand specific VPA(Virtual Private Address) alias, as of now one bank account allows for 4 aliases.

Precautions

A User can take following precautions to be safe from this type of elaborate scheme:

  1. Always check the final transaction amount being requested by merchant
  2. Check the contact details of the merchant you are transferring money 
  3. Always check if the merchant has requested for a mandate being set, this would drain the victim’s account monthly without putting in the UPI pin again and again.
  4. Always check if the merchant is a verified merchant

Recommendations for Payment providers

  1. Tighter check for qwiklabs email addresses being used to sign up.
  2. Better regulations around how to claim a Business name for a merchant

References

Appendix

Screenshot of a POC account created on pay.google.com using the qwiklabs temporary credentials

Author

Anirudh Batra

Threat Analyst at CloudSEK

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Advisory
Breach
July 19, 2024

WazirX Incident: Explained

WazirX, a leading Indian cryptocurrency exchange, faced a major security breach on July 18, 2024 resulting in significant financial losses of over $200 Million. Dive into our detailed analysis to uncover how the attack unfolded, potential culprits, and the broader implications for WazirX users.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

8

min read

Exposing Qwiklabs Email Misuse in Sneaky Payment Scams involving setting up UPI merchant accounts

CloudSEK’s Threat Intelligence team uncovered a new attack vector for soiling the brand reputation of organizations by supplementing existing scam infrastructure.

Authors
Anirudh Batra
Threat Analyst at CloudSEK
Co-Authors
No items found.

Executive Summary

CloudSEK’s Threat Intelligence team uncovered a new attack vector for soiling the brand reputation of organizations by supplementing existing scam infrastructure.

Threat Actors have always been on the lookout for ways that they can use to make their scam operations seem legitimate. Historically, we have seen that even if the Fake Domain or the scam domain might seem very real the end goal of the threat actor is receiving money from the victims. A simple check generally reveals if the payment is actually going to the desired organization or not.

In this attack vector lack of verification of the name of the organization while registering a merchant account using a payment provider makes it fairly tough for a victim to differentiate between a legitimate and illegitimate merchant VPA/transaction.

Qwiklabs is a cloud-based platform that offers hands-on learning experiences for developers and IT professionals. It provides temporary credentials to Google Cloud Platform (GCP) and other cloud platforms, allowing users to practice their skills in real-world environments. Although the intended use of the temporary credentials is learning GCP skills, threat actors are abusing this to add a layer of obscurity by using these credentials to create merchant accounts.

Analysis and Attribution

We uncovered the following while investigating this attack vector:

                         

  

The screenshot on the right is an authorized reseller of Apple in India and all the details are verifiable, which includes the Mobile number, Email information as well as the Website. Whereas, the screenshot on the left is a scam merchant account because of the following reasons:

  1. The Website button opens https://accounts.google.com which is not related to Apple
  2. The contact email address is a temporary account provided while signing for qwiklabs

                     

Screenshot of how we can see the Email of the merchant account

Why Qwiklabs ?

Qwiklabs is used because while creating a Gmail account and signing up for pay.google.com to setup merchant transactions a Phone Number verification is required which can land a threat actor in trouble. While signing up for qwiklabs the following are required - 

  1. A company email
  2. Full Name
  3. Birth Date
  4. Password

Please Note - A temporary inbox provider like temp-mail.org can be used to fill in the company email.

Once an attacker has signed in to the portal they can choose a learning path which contains a hands-on learning lab, for that qwiklabs gives temporary access to gmail inbox. This Gmail inbox is then used to set up a merchant UPI ID without the use of a phone number.

MindMap of how the scam operates

The above account was created without divulging any personal information.

Advantages of this method

  1. Divulging little to no information throughout the signing up process
  2. Setting up an account with a business name very similar to a brand the attacker is targeting as shown above.
  3. UPI infrastructure can also be used to request a transaction from the victim
  4. From 2023 Merchants can also request for EMI payments from the victims, hence a user just needs to fall for the scam once and the mandate of payment will be established.
  5. An attacker can create numerous temporary mail boxes using the qwiklabs method.
  6. It will be very difficult for a victim to identify a fraudulently initiated transaction.
  7. A threat actor can also generate a targeted brand specific VPA(Virtual Private Address) alias, as of now one bank account allows for 4 aliases.

Precautions

A User can take following precautions to be safe from this type of elaborate scheme:

  1. Always check the final transaction amount being requested by merchant
  2. Check the contact details of the merchant you are transferring money 
  3. Always check if the merchant has requested for a mandate being set, this would drain the victim’s account monthly without putting in the UPI pin again and again.
  4. Always check if the merchant is a verified merchant

Recommendations for Payment providers

  1. Tighter check for qwiklabs email addresses being used to sign up.
  2. Better regulations around how to claim a Business name for a merchant

References

Appendix

Screenshot of a POC account created on pay.google.com using the qwiklabs temporary credentials