Researcher: Aarushi Koolwal
Analysts: Abhinav Pandey & Vikas Kundu
Editor: Benila Susan Jacob

Despite India’s digital revolution, a large swath of the population still prefers physical copies over their digitized counterparts, especially when it comes to ID cards such as driving licenses, Aadhaar, etc. This need accounts for the existence of corner shops that provide ID printing services. However, with physical stores shutting down due to the pandemic, many have turned to the internet to avail of ID printing services.

This trend has led to threat actors jumping on the bandwagon by hosting fake websites and impersonating major Indian firms that claim to deliver hard copies of ID cards. Scores of Indian citizens have fallen prey to this scam. Since individual losses only amount to a few hundred rupees, victims and law enforcement are not in any hurry to dismantle these campaigns. But given the scale of the operation, it deserves closer investigation.

In this blog, we delve into the modus operandi of an Uttar Pradesh based group that is running a large-scale ID Card printing scams campaign impersonating popular Indian brands to defraud the Indian public.

UP Based Group Running Large-Scale ID Card Printing Scams

CloudSEK’s contextual AI digital risk platform XVigil uncovered an Uttar Pradesh based threat group operating hundreds of fake ID printing websites, with the following shared characteristics:

• The domains impersonate popular Indian brands including various telecommunication providers, banks, payment wallets, courier services, etc. This includes Fino Payments Bank, DTDC, India Post, etc., to present themselves as a legitimate business.
• The threat group employs Google Ads, social network pages, and SEO optimization techniques to distribute and popularize these domains.
• The websites offer printing services for ID cards like Aadhaar, PAN, driver’s license, account opening, etc.
• Victims are duped into sharing their PII (Personally Identifiable Information) and OTPs on a KYC portal integrated with popular payment channels.
• Threat actors can sell the PII or use it to orchestrate other scams. They also use the OTPs to gain access to victims’ accounts to lock them out and carry out unauthorized transactions.

Rise in Printing Service Scams in India

There has been a significant increase in the usage of Aadhaar recently and the demand for Aadhaar-based authentication grew between 2018 and 2021(UIDAI Annual Report (2020-21). This increase can be attributed to the enhanced use of Aadhaar along with other two-factor authentication methods (2FA). The graph below depicts the use of Aadhaar for authentication and it can be seen touching an all-time high of 1,413.40 crore transactions in the 2020-21 fiscal year.

Whois data on newly registered domains reveals a noteworthy correlation between the number of malicious domains registered in 2020-21 and the hike in Aadhaar based authentication.

CloudSEK’s Investigation of ID Printing Scams

XVigil’s routine scanning identified multiple fake domains advertising cheap printing and laminating services to scam people. Further investigation revealed multiple fraudulent websites advertising similar services with fake customer support numbers concentrated in the Western Uttar Pradesh region. A thorough examination of the campaign revealed that these websites are part of a large-scale campaign involving unauthorized access to victims’ KYC portals. Multiple complaints have been posted by the victims of these scams on various social media platforms such as Twitter and Facebook.

Anatomy of the Scam

Luring Victims to the Malicious Domains

Unsuspecting users are deceived into visiting these malicious websites either in direct or indirect ways.

The Direct Method

This is a method of spamming victims with messages, emails, or social media communication which contain URLs of the malicious websites, along with the promise of partnership and financial returns. The lure of easy money prompts the user into clicking the link and visiting the malicious website.

The Indirect Method

In this method, the malicious domains are distributed using SEO (Search Engine Optimization) techniques or other Social Media platforms.

SEO Technique

• The malicious domains are strategically placed in Google search engine queries using SEO techniques and optimized with multiple keywords related to Aadhaar, PAN, Voter ID, etc.
• For example, the malicious domains aadharprint[.]in and digitalfastprint[.]in are ranked second and fifth respectively, following the original website.
• Such high SERP(Search Engine Results Pages) positions are formulated by employing multiple blackhat SEO techniques like adding a large number of unsolicited backlinks.

Social Media

• The malicious links are distributed to users via sites such as Facebook, Twitter and YouTube.
• Research uncovered multiple Youtube videos and channels with many views. These were embedded with the links associated with these malicious domains.

Overview of the Campaign

• XVigil detected hundreds of URLs, spreading the campaign, which had 9 common root domains.
• Of the root domains investigated, roboprints[.]in and digitalfastprint[.]in received the highest portion of traffic, 32.7% and 22% respectively.
• Other prominent domains were ukprintz[.]xyz, ecyberlink[.]in, and aadharprint[.]in, which received 14.3%, 9.5%, and 4.8% of the traffic respectively.

• Each domain has multiple subdomains with correlations to other malicious root domains. For example, the aadharprint[.]in has a subdomain named shivyog[.]aadharprint[.]in, which resembles shivyogprint[.]info, indicating that the domains could be owner by a single entity.

• Currently there are a total of 69 domains still functioning, with a considerable number of inactive subdomains, which were either active in the past or can be utilized in the future when taken down.
• Majority of these domains are hosted on Publicdomainregistry[.]com (12) and godaddy[.]com (17) using various TLD(Top level domain).
• 11 of the domains used .in, 10 used .com, 4 used .online, 3 used .info and one each used .us and .top.
• The domains also employ security solutions such as Cloudflare and Litespeed WAF.
• CloudSEK has learnt from a confidential source that these websites use a database called ‘adhaar’ with a table named ‘Detailorder_mst’ containing 54,452 entries, collected over time.
• Most of these domains contain logos and links of UIDAI and other governmental agencies.
• A major chunk of the websites observed had poor frontend design and grammatical errors.

Detailed Analysis of the Fake Domains Discovered

The malicious domains uncovered as a part of CloudSEK’s investigation had the following shared characteristics:

• The websites advertised services such as:
  • Registration services for Ayushman Bharat
  • Account opening services for Kotak, RBL, Indusind, and ICICI banks at INR 99.
  • PAN and NSDL registration services
  • Wallet recharge services
  • Passbook printing services
  • Services for Fino, NSDL, India Post, and other wallet services.
  • QR code scanner
  • Aadhaar card lamination services
• Sign-up and Sign-in pages require phone numbers and emails as inputs.
• Logos of prominent organizations such as Fino Payment Bank.
• Logos of government services including Ayushman Bharat, E-shram, etc.
• Fake customer care numbers and WhatsApp support services.
• Listed legitimate payment partners such as PayU.
• India Post and DTDC are listed as delivery partners.
• Social media presence with around thousands of followers on Facebook.

Identifying the Scammers

• One of the threat actors connected to this scam is the owner of the phone number 88659 53003, obtained from one of the phishing websites, printkaro[.]xyz.
• The actor has written an Amazon review in which they stated belonging to Najibabad, Uttar Pradesh. (For more information refer to the Appendix)
• Most phone numbers listed on the scam sites belong to individuals in Uttar Pradesh West. Thus, it can be inferred that the scammers are based in Najibabad, Uttar Pradesh, India.

Fake Customer Care Numbers Uncovered

Impact of the Scam

A Tweet from 2017 about a scam platform dubbed “Maza Aadhaar”	The 2016 “Maza Aadhaar” scam targeted users in the pretense of Aadhaar plastic card printing services

• Threat actors can leverage the PII to carry out other social engineering attacks, identity thefts, phishing attacks, etc.
• OTPs can be used to carry out unauthorized transactions on the victims’ bank accounts.
• Threat actors can register SIM cards in the name of the victim and use them for illegal activities.
• Aadhaar card and PAN card details can be used to create fake bank accounts, apply for loans, or to carry out other malicious activities.
• In a recent scam targeting, fraudsters had reportedly used the PAN details of victims to avail instant loans through a loan application.

Mitigation Measures

• Avoid clicking on suspicious links.
• Ensure the usage of MFA (Multi-Factor Authentication) and do not share OTPs. .
• Enter your ID data on official government websites only(sites with .gov extensions). Be cautious when entering it on any other sites.
• Ignore emails and messages from unknown sources, especially with some sort of monetary value attached. If possible, use an anti-spam solution for your email and anti-virus on your device.
• If you come across a malicious domain, look up its registrar on whois.com and report the abuse.

References

• Over 27 million Indian adults experienced identity theft
• UIDAI Cautions People Against Aadhaar ‘Smart Card’

Appendix

Images associated with the phone number 8865953003