Don't let your brand be used to trap users through fake URLs and phishing pages
Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats
Researcher: Aarushi Koolwal Analysts: Abhinav Pandey & Vikas Kundu Editor: Benila Susan Jacob
Despite Indiaâs digital revolution, a large swath of the population still prefers physical copies over their digitized counterparts, especially when it comes to ID cards such as driving licenses, Aadhaar, etc. This need accounts for the existence of corner shops that provide ID printing services. However, with physical stores shutting down due to the pandemic, many have turned to the internet to avail of ID printing services.
This trend has led to threat actors jumping on the bandwagon by hosting fake websites and impersonating major Indian firms that claim to deliver hard copies of ID cards. Scores of Indian citizens have fallen prey to this scam. Since individual losses only amount to a few hundred rupees, victims and law enforcement are not in any hurry to dismantle these campaigns. But given the scale of the operation, it deserves closer investigation.
In this blog, we delve into the modus operandi of an Uttar Pradesh based group that is running a large-scale ID Card printing scams campaign impersonating popular Indian brands to defraud the Indian public.
UP Based Group Running Large-Scale ID Card Printing Scams
CloudSEKâs contextual AI digital risk platform XVigil uncovered an Uttar Pradesh based threat group operating hundreds of fake ID printing websites, with the following shared characteristics:
The domains impersonate popular Indian brands including various telecommunication providers, banks, payment wallets, courier services, etc. This includes Fino Payments Bank, DTDC, India Post, etc., to present themselves as a legitimate business.
The threat group employs Google Ads, social network pages, and SEO optimization techniques to distribute and popularize these domains.
The websites offer printing services for ID cards like Aadhaar, PAN, driver’s license, account opening, etc.
Victims are duped into sharing their PII (Personally Identifiable Information) and OTPs on a KYC portal integrated with popular payment channels.
Threat actors can sell the PII or use it to orchestrate other scams. They also use the OTPs to gain access to victimsâ accounts to lock them out and carry out unauthorized transactions.
Rise in Printing Service Scams in India
There has been a significant increase in the usage of Aadhaar recently and the demand for Aadhaar-based authentication grew between 2018 and 2021(UIDAI Annual Report (2020-21). This increase can be attributed to the enhanced use of Aadhaar along with other two-factor authentication methods (2FA). The graph below depicts the use of Aadhaar for authentication and it can be seen touching an all-time high of 1,413.40 crore transactions in the 2020-21 fiscal year.
Graph depicting the rise in Aadhaar-based authentication in 2017-18 and then again in 2020-21 (Source: UIDAI)
Whois data on newly registered domains reveals a noteworthy correlation between the number of malicious domains registered in 2020-21 and the hike in Aadhaar based authentication.
Malicious domains registered each year (Source: Whois)
CloudSEKâs Investigation of ID Printing Scams
XVigilâs routine scanning identified multiple fake domains advertising cheap printing and laminating services to scam people. Further investigation revealed multiple fraudulent websites advertising similar services with fake customer support numbers concentrated in the Western Uttar Pradesh region. A thorough examination of the campaign revealed that these websites are part of a large-scale campaign involving unauthorized access to victims’ KYC portals. Multiple complaints have been posted by the victims of these scams on various social media platforms such as Twitter and Facebook.
Flowchart representing the outline of the scam
Anatomy of the Scam
Luring Victims to the Malicious Domains
Unsuspecting users are deceived into visiting these malicious websites either in direct or indirect ways.
The Direct Method
This is a method of spamming victims with messages, emails, or social media communication which contain URLs of the malicious websites, along with the promise of partnership and financial returns. The lure of easy money prompts the user into clicking the link and visiting the malicious website.
The Indirect Method
In this method, the malicious domains are distributed using SEO (Search Engine Optimization) techniques or other Social Media platforms.
SEO Technique
The malicious domains are strategically placed in Google search engine queries using SEO techniques and optimized with multiple keywords related to Aadhaar, PAN, Voter ID, etc.
For example, the malicious domains aadharprint[.]in and digitalfastprint[.]in are ranked second and fifth respectively, following the original website.
Such high SERP(Search Engine Results Pages) positions are formulated by employing multiple blackhat SEO techniques like adding a large number of unsolicited backlinks.
Social Media
The malicious links are distributed to users via sites such as Facebook, Twitter and YouTube.
Research uncovered multiple Youtube videos and channels with many views. These were embedded with the links associated with these malicious domains.
Image depicting Maryam OSINT scan results for roboprints[.]in & digitalfastprint[.]in
Overview of the Campaign
XVigil detected hundreds of URLs, spreading the campaign, which had 9 common root domains.
Of the root domains investigated, roboprints[.]in and digitalfastprint[.]in received the highest portion of traffic, 32.7% and 22% respectively.
Other prominent domains were ukprintz[.]xyz, ecyberlink[.]in, and aadharprint[.]in, which received 14.3%, 9.5%, and 4.8% of the traffic respectively.
Chart depicting traffic for Root malicious domains
Each domain has multiple subdomains with correlations to other malicious root domains. For example, the aadharprint[.]in has a subdomain named shivyog[.]aadharprint[.]in, which resembles shivyogprint[.]info, indicating that the domains could be owner by a single entity.
Image depicting Subdomains of âaadharprint[.]inâ
Currently there are a total of 69 domains still functioning, with a considerable number of inactive subdomains, which were either active in the past or can be utilized in the future when taken down.
Majority of these domains are hosted on Publicdomainregistry[.]com (12) and godaddy[.]com (17) using various TLD(Top level domain).
11 of the domains used .in, 10 used .com, 4 used .online, 3 used .info and one each used .us and .top.
The domains also employ security solutions such as Cloudflare and Litespeed WAF.
CloudSEK has learnt from a confidential source that these websites use a database called âadhaarâ with a table named âDetailorder_mstâ containing 54,452 entries, collected over time.
Most of these domains contain logos and links of UIDAI and other governmental agencies.
A major chunk of the websites observed had poor frontend design and grammatical errors.
Detailed Analysis of the Fake Domains Discovered
The malicious domains uncovered as a part of CloudSEKâs investigation had the following shared characteristics:
The websites advertised services such as:
Registration services for Ayushman Bharat
Account opening services for Kotak, RBL, Indusind, and ICICI banks at INR 99.
PAN and NSDL registration services
Wallet recharge services
Passbook printing services
Services for Fino, NSDL, India Post, and other wallet services.
QR code scanner
Aadhaar card lamination services
Sign-up and Sign-in pages require phone numbers and emails as inputs.
Logos of prominent organizations such as Fino Payment Bank.
Logos of government services including Ayushman Bharat, E-shram, etc.
India Post and DTDC are listed as delivery partners.
Social media presence with around thousands of followers on Facebook.
Identifying the Scammers
One of the threat actors connected to this scam is the owner of the phone number 88659 53003, obtained from one of the phishing websites, printkaro[.]xyz.
The actor has written an Amazon review in which they stated belonging to Najibabad, Uttar Pradesh. (For more information refer to the Appendix)
Most phone numbers listed on the scam sites belong to individuals in Uttar Pradesh West. Thus, it can be inferred that the scammers are based in Najibabad, Uttar Pradesh, India.
A Tweet from 2017 about a scam platform dubbed âMaza Aadhaarâ
The 2016 âMaza Aadhaarâ scam targeted users in the pretense of Aadhaar plastic card printing services
Threat actors can leverage the PII to carry out other social engineering attacks, identity thefts, phishing attacks, etc.
OTPs can be used to carry out unauthorized transactions on the victimsâ bank accounts.
Threat actors can register SIM cards in the name of the victim and use them for illegal activities.
Aadhaar card and PAN card details can be used to create fake bank accounts, apply for loans, or to carry out other malicious activities.
In a recent scam targeting, fraudsters had reportedly used the PAN details of victims to avail instant loans through a loan application.
Mitigation Measures
Avoid clicking on suspicious links.
Ensure the usage of MFA (Multi-Factor Authentication) and do not share OTPs. .
Enter your ID data on official government websites only(sites with .gov extensions). Be cautious when entering it on any other sites.
Ignore emails and messages from unknown sources, especially with some sort of monetary value attached. If possible, use an anti-spam solution for your email and anti-virus on your device.
If you come across a malicious domain, look up its registrar on whois.com and report the abuse.
Account opening services on newprint[.]inSnapshot of an Amazon review by the threat actor
Image depicting âaadhaar printâ search results on google
The customer care number provided on the website
Snapshot from the Contact page of newprint[.]inImages associated with âGungun mobile shop pachrukhiyaâ
Images associated with the phone number 8865953003
Index page of aadhaarsmartcard[.]comAyushman Bharat registration form on newprint[.]inServices related to NSDL on newprint[.]ine-NSDL Registration form on newprint[.]inServices related to NSDL on newprint[.]inUCL services on newprint[.]inPassbook print page of newprint[.]in asks for usersâ account details
Â
A user complaining about a fake website having access to the aadhaar database
Payment Gateway of a malicious domain page
Newprint[.]in mentioned on the Cancellation and Refund Policy pagePre-payment page displays a logo of New Print
Sign-in page of newprint[.]inKeywords used by threat actors for SEO optimization of Newprint[.]inSnapshots from the source code of newprint[.]inSign-in page of newprint[.]ind[.]inA Tweet claiming newprint[.]in and newprint[.]ind[.]in are running a scamCustomer care numbers listed on newprint[.]ind[.]inSnapshot from the Refund Policy section of newprint[.]inSnapshot from a Facebook profile stating Aadhaarsmartcard[.]com as a fraud serviceImage depicting a user complaining about the fake printing service along with a payment screenshot
Get the latest industry news, threats and resources.
Researcher: Aarushi Koolwal Analysts: Abhinav Pandey & Vikas Kundu Editor: Benila Susan Jacob
Despite Indiaâs digital revolution, a large swath of the population still prefers physical copies over their digitized counterparts, especially when it comes to ID cards such as driving licenses, Aadhaar, etc. This need accounts for the existence of corner shops that provide ID printing services. However, with physical stores shutting down due to the pandemic, many have turned to the internet to avail of ID printing services.
This trend has led to threat actors jumping on the bandwagon by hosting fake websites and impersonating major Indian firms that claim to deliver hard copies of ID cards. Scores of Indian citizens have fallen prey to this scam. Since individual losses only amount to a few hundred rupees, victims and law enforcement are not in any hurry to dismantle these campaigns. But given the scale of the operation, it deserves closer investigation.
In this blog, we delve into the modus operandi of an Uttar Pradesh based group that is running a large-scale ID Card printing scams campaign impersonating popular Indian brands to defraud the Indian public.
UP Based Group Running Large-Scale ID Card Printing Scams
CloudSEKâs contextual AI digital risk platform XVigil uncovered an Uttar Pradesh based threat group operating hundreds of fake ID printing websites, with the following shared characteristics:
The domains impersonate popular Indian brands including various telecommunication providers, banks, payment wallets, courier services, etc. This includes Fino Payments Bank, DTDC, India Post, etc., to present themselves as a legitimate business.
The threat group employs Google Ads, social network pages, and SEO optimization techniques to distribute and popularize these domains.
The websites offer printing services for ID cards like Aadhaar, PAN, driver’s license, account opening, etc.
Victims are duped into sharing their PII (Personally Identifiable Information) and OTPs on a KYC portal integrated with popular payment channels.
Threat actors can sell the PII or use it to orchestrate other scams. They also use the OTPs to gain access to victimsâ accounts to lock them out and carry out unauthorized transactions.
Rise in Printing Service Scams in India
There has been a significant increase in the usage of Aadhaar recently and the demand for Aadhaar-based authentication grew between 2018 and 2021(UIDAI Annual Report (2020-21). This increase can be attributed to the enhanced use of Aadhaar along with other two-factor authentication methods (2FA). The graph below depicts the use of Aadhaar for authentication and it can be seen touching an all-time high of 1,413.40 crore transactions in the 2020-21 fiscal year.
Graph depicting the rise in Aadhaar-based authentication in 2017-18 and then again in 2020-21 (Source: UIDAI)
Whois data on newly registered domains reveals a noteworthy correlation between the number of malicious domains registered in 2020-21 and the hike in Aadhaar based authentication.
Malicious domains registered each year (Source: Whois)
CloudSEKâs Investigation of ID Printing Scams
XVigilâs routine scanning identified multiple fake domains advertising cheap printing and laminating services to scam people. Further investigation revealed multiple fraudulent websites advertising similar services with fake customer support numbers concentrated in the Western Uttar Pradesh region. A thorough examination of the campaign revealed that these websites are part of a large-scale campaign involving unauthorized access to victims’ KYC portals. Multiple complaints have been posted by the victims of these scams on various social media platforms such as Twitter and Facebook.
Flowchart representing the outline of the scam
Anatomy of the Scam
Luring Victims to the Malicious Domains
Unsuspecting users are deceived into visiting these malicious websites either in direct or indirect ways.
The Direct Method
This is a method of spamming victims with messages, emails, or social media communication which contain URLs of the malicious websites, along with the promise of partnership and financial returns. The lure of easy money prompts the user into clicking the link and visiting the malicious website.
The Indirect Method
In this method, the malicious domains are distributed using SEO (Search Engine Optimization) techniques or other Social Media platforms.
SEO Technique
The malicious domains are strategically placed in Google search engine queries using SEO techniques and optimized with multiple keywords related to Aadhaar, PAN, Voter ID, etc.
For example, the malicious domains aadharprint[.]in and digitalfastprint[.]in are ranked second and fifth respectively, following the original website.
Such high SERP(Search Engine Results Pages) positions are formulated by employing multiple blackhat SEO techniques like adding a large number of unsolicited backlinks.
Social Media
The malicious links are distributed to users via sites such as Facebook, Twitter and YouTube.
Research uncovered multiple Youtube videos and channels with many views. These were embedded with the links associated with these malicious domains.
Image depicting Maryam OSINT scan results for roboprints[.]in & digitalfastprint[.]in
Overview of the Campaign
XVigil detected hundreds of URLs, spreading the campaign, which had 9 common root domains.
Of the root domains investigated, roboprints[.]in and digitalfastprint[.]in received the highest portion of traffic, 32.7% and 22% respectively.
Other prominent domains were ukprintz[.]xyz, ecyberlink[.]in, and aadharprint[.]in, which received 14.3%, 9.5%, and 4.8% of the traffic respectively.
Chart depicting traffic for Root malicious domains
Each domain has multiple subdomains with correlations to other malicious root domains. For example, the aadharprint[.]in has a subdomain named shivyog[.]aadharprint[.]in, which resembles shivyogprint[.]info, indicating that the domains could be owner by a single entity.
Image depicting Subdomains of âaadharprint[.]inâ
Currently there are a total of 69 domains still functioning, with a considerable number of inactive subdomains, which were either active in the past or can be utilized in the future when taken down.
Majority of these domains are hosted on Publicdomainregistry[.]com (12) and godaddy[.]com (17) using various TLD(Top level domain).
11 of the domains used .in, 10 used .com, 4 used .online, 3 used .info and one each used .us and .top.
The domains also employ security solutions such as Cloudflare and Litespeed WAF.
CloudSEK has learnt from a confidential source that these websites use a database called âadhaarâ with a table named âDetailorder_mstâ containing 54,452 entries, collected over time.
Most of these domains contain logos and links of UIDAI and other governmental agencies.
A major chunk of the websites observed had poor frontend design and grammatical errors.
Detailed Analysis of the Fake Domains Discovered
The malicious domains uncovered as a part of CloudSEKâs investigation had the following shared characteristics:
The websites advertised services such as:
Registration services for Ayushman Bharat
Account opening services for Kotak, RBL, Indusind, and ICICI banks at INR 99.
PAN and NSDL registration services
Wallet recharge services
Passbook printing services
Services for Fino, NSDL, India Post, and other wallet services.
QR code scanner
Aadhaar card lamination services
Sign-up and Sign-in pages require phone numbers and emails as inputs.
Logos of prominent organizations such as Fino Payment Bank.
Logos of government services including Ayushman Bharat, E-shram, etc.
India Post and DTDC are listed as delivery partners.
Social media presence with around thousands of followers on Facebook.
Identifying the Scammers
One of the threat actors connected to this scam is the owner of the phone number 88659 53003, obtained from one of the phishing websites, printkaro[.]xyz.
The actor has written an Amazon review in which they stated belonging to Najibabad, Uttar Pradesh. (For more information refer to the Appendix)
Most phone numbers listed on the scam sites belong to individuals in Uttar Pradesh West. Thus, it can be inferred that the scammers are based in Najibabad, Uttar Pradesh, India.
A Tweet from 2017 about a scam platform dubbed âMaza Aadhaarâ
The 2016 âMaza Aadhaarâ scam targeted users in the pretense of Aadhaar plastic card printing services
Threat actors can leverage the PII to carry out other social engineering attacks, identity thefts, phishing attacks, etc.
OTPs can be used to carry out unauthorized transactions on the victimsâ bank accounts.
Threat actors can register SIM cards in the name of the victim and use them for illegal activities.
Aadhaar card and PAN card details can be used to create fake bank accounts, apply for loans, or to carry out other malicious activities.
In a recent scam targeting, fraudsters had reportedly used the PAN details of victims to avail instant loans through a loan application.
Mitigation Measures
Avoid clicking on suspicious links.
Ensure the usage of MFA (Multi-Factor Authentication) and do not share OTPs. .
Enter your ID data on official government websites only(sites with .gov extensions). Be cautious when entering it on any other sites.
Ignore emails and messages from unknown sources, especially with some sort of monetary value attached. If possible, use an anti-spam solution for your email and anti-virus on your device.
If you come across a malicious domain, look up its registrar on whois.com and report the abuse.
Account opening services on newprint[.]inSnapshot of an Amazon review by the threat actor
Image depicting âaadhaar printâ search results on google
The customer care number provided on the website
Snapshot from the Contact page of newprint[.]inImages associated with âGungun mobile shop pachrukhiyaâ
Images associated with the phone number 8865953003
Index page of aadhaarsmartcard[.]comAyushman Bharat registration form on newprint[.]inServices related to NSDL on newprint[.]ine-NSDL Registration form on newprint[.]inServices related to NSDL on newprint[.]inUCL services on newprint[.]inPassbook print page of newprint[.]in asks for usersâ account details
Â
A user complaining about a fake website having access to the aadhaar database
Payment Gateway of a malicious domain page
Newprint[.]in mentioned on the Cancellation and Refund Policy pagePre-payment page displays a logo of New Print
Sign-in page of newprint[.]inKeywords used by threat actors for SEO optimization of Newprint[.]inSnapshots from the source code of newprint[.]inSign-in page of newprint[.]ind[.]inA Tweet claiming newprint[.]in and newprint[.]ind[.]in are running a scamCustomer care numbers listed on newprint[.]ind[.]inSnapshot from the Refund Policy section of newprint[.]inSnapshot from a Facebook profile stating Aadhaarsmartcard[.]com as a fraud serviceImage depicting a user complaining about the fake printing service along with a payment screenshot
Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
Aarushi Koolwal is an avid cyber security learner.
Subscribe to CloudSEK Resources
Get the latest industry news, threats and resources.