Fake Image - CloudSEK

Menace of Fake Banking Services

We have all received calls from fake bank representatives, offering us complimentary credit card upgrades, free Insurance, and assistance to complete KYC (Know your customer) formalities. And to provide these services, they would have requested us for credit card or debit card details.

However, in the last few years, the general public has smartened up to this scam. And most of us don’t indulge these calls anymore. And in response to this, scammers have repackaged their scams, that are delivered to us, via other channels. The new schemes are so convincing that we reach out to them.

Let’s explore these sophisticated approaches and the various resources that allow scammers to continue defrauding us.

What makes us vulnerable?

Most people unequivocally rely on Google search for everything ranging from bank locations to restaurant reviews. So, it is only natural that scammers have started targeting Google services, to index bogus web pages that contain fake bank branches and customer care numbers. Also, it is simple to list a business on Google, because there is no detailed verification process. In 2018, police busted a scammer who was running a fake branch of Karnataka Bank in UP’s Ballia.

How are fake banking services provided?

  • The scammer buys a domain name that closely mimics the targeted bank. They replicate the bank’s trademarks, logos, and website design, to give it an air of authenticity.
  • They set up telephone numbers which are advertised on the fake website. The scammer goes the extra mile, to convince skeptical users, by mimicking original caller tunes, hold tunes, and following standard operating procedures.
  • Sometimes, scammers even set up interim branches and kiosks, employing people at different levels, so that it appears to be a legitimate operation.
  • They then list themselves on Google services with seemingly genuine location details.
  • When a customer searches for a bank branch or customer care number, these sites appear as top Google search results.
  • When the customer calls the fake number or visits a fake branch, scammers slip questions about CVVs (Card Verification Value) or ask for OTPs (One Time Password) in the middle of the conversation.
  • They may even advise users to download and install certain remote desktop sharing apps or open links that give them the control of the customer’s mobile device.
  • Scammers especially favour UPI (Unified Payment Interface) and other similar apps. They will ask for a victim’s UPI ID, and convince them to accept 1 rupee on the app. Wherein, instead of accepting money, unaware and inexperienced users, will in fact be remitting a large amount from their account.

Are there precautions we can take?

  • Stay abreast of scammers and the different types of online scams.
  • Proactively monitor the surface web and alert authorities of any scams you have identified.
  • Inform targeted banks about such scams. It will also help them to initiate the takedown of such sites and apps and ensure others don’t fall prey to these scams. 

If you have concerns about your organization’s security posture, contact us: Request a Demo now.

FASTag Phishing Campaigns Flourish on Social Media

FASTag Phishing Campaigns Flourish on Social MediaWith FASTag, toll collection is the latest of our everyday services that has gone digital. And, as is their wont, cyber criminals have already figured out ways to exploit it. FASTag, which is an Electronic Toll Collection (ETC) instrument, is mandated by the Government of India, for all vehicles passing through toll booths across the country. Considering the growing adoption, combined with users’ limited experience, it is not surprising that scammers are launching phishing campaigns by employing novice social engineering approaches.

In this article, we explore the different types of phishing campaigns and the channels that facilitate them. 

FASTag Phishing Campaigns

Though FASTag is a straightforward service, there are several avenues, ranging from distribution to after-sales support, through which scammer can exploit it. 

Scammers are defrauding people in the following ways:

  • Selling fake FASTags 
  • Recruiting other scammers
  • Selling FASTag distributor rights
  • Operating fake helpline numbers
  • Providing unblocking services for blacklisted FASTags

Scammers are delivering these campaigns via: 

  • Social media
  • Email
  • Online marketplaces
  • Chat platforms
  • Deep web sites
  • Surface web sites

We will investigate each of these scamming methods and the channels used to facilitate them. While FASTag scammers are present across the internet, they are especially active on social media because of how easy it is to create accounts and conceal their identities. 

Selling Fake FASTags

Social media 

There are social media profiles, personally promoting the “FASTag” project implementation (especially in local languages), even though they are not officially authorized or connected to the project. 

Facebook post advertising FASTag
Facebook post advertising FASTag

Some accounts are also offering services on behalf of authorized FASTag banking partners, by advertising the bank’s name along with their personal contact numbers. Since we cannot verify if such individuals are authorized to act on behalf of these financial institutions, it is best to avoid responding to their posts, to avail their services.

Post on a closed Facebook group advertising by including NPCI and HDFC
Post on a closed Facebook group advertising by including NPCI and HDFC

There are also social media posts that are promising free FASTags and FASTag services, even though the actual price is INR 500. However, they appear trustworthy to the general public because some of these campaigns include genuine images.

Post offering free FASTags
Posts offering free FASTags


Since FASTag became mandatory on 1st December 2019, we have observed phishing emails, delivered from various networks, to personal email IDs. Many of these campaigns use the classical approach of furnishing lookalike “from” names. In this case, ‘FASTag’, in some form, appears in the name of the sender. The domain name of the email is only visible when we purposely expand the ‘from’ address. This allows scammers to mislead receivers of the emails, since we don’t generally inspect the sender’s complete email address.  


As seen above, the sender’s name is ‘Axis FASTag’ and only on closer inspection, we notice that the email id is: info@indiafamous.info and the domain name is:  indiafamous.info. And, the website’s location is listed as Bihar. It is safe to assume that the below email is a phishing attempt. (We have noticed that previous phishing campaigns targeting NPCI, were also mapped to the same location).


Online marketplaces

Given the size of the targeted audience, scammers will not spare any platform through which they can prey on the public. 

Here is a case of an OLX listing that is advertising Axis Bank’s FASTag service.

FASTag advertisement on OLX
FASTag advertisement on OLX

Further investigation threw up listings like the ones below, in which the prices have been inflated. By inflating and then reducing the price of the tags, scammers are trying to make their proposition more attractive. This is a major red flag that is indicative of a phishing campaign. 

FASTag advertisements with inflated prices
FASTag advertisements with inflated prices

We also observed that some of the vendors are offering free GPS along with the tags. And the tags themselves are listed at prices lower than the actual cost of INR 500. But, it is not clear from the listing, if a standalone GPS comes free with the purchase of a FASTag.  


As seen from the below post, in which a vendor ‘Vivek Shukla’ from UP, has listed FASTag as “Fastage” along with a GPS app. The app is not officially associated with FASTag.

FASTag sold with an unofficial GPS app
FASTag sold with an unofficial GPS app

Deep web campaigns

We have spotted a series of phishing campaigns on various blogs and deep web sites. These advertisements offer FASTag services by using the names of popular banks such as Axis Bank, HDFC Bank, etc.

Chat platforms:

These campaigns are being widely spread through chat platforms such as Sharechat as well.

FASTag advertisements on Sharechat
FASTag advertisements on Sharechat

On clicking the link,  the page is redirected to an ad-hosted campaign which is not connected with Axis Bank FASTag services. And visiting these malicious links makes the visitor’s device vulnerable to malicious software, such as adware or other PUPs (Potentially Unwanted Programs). This, in turn, creates a backdoor to all vital information on the device and helps scammers fund other malicious campaigns they run.

Malicious links that make visitors vulnerable
Malicious links that make visitors vulnerable

Moreover, on analysing the details of the page through Virus Total, it was found to be listed as spam. 

VirusTotal results indicating that the advertisement is a spam
VirusTotal results indicating that the advertisement is a spam

Ad campaigns on other sites

We spotted ad campaigns on other unrelated websites such as a music download service. Through which unwary users can be clickjacked to phishing sites.

FASTag ad campaign on a music download service
FASTag ad campaign on a music download service


Surface web sites 

The official way to buy FASTags is via NPCI , authorized banking partners such as ICICI or HDFC, wallet partners such as UPI Airtel Payments, or authorized vendors. Yet there are similar looking domains, registered to individuals, that are masquerading as official vendors of FASTag.

Some of the fraudulent sites:

Fraudulent sites  Registrant details

  • Street: Door No. 583, Flat no G-100
  • City: Bengaluru
  • State/Province: Karnataka
  • Postal Code: 560077
  • Country: India
  • Phone: +91 9884718277
  • Email: ayushenterprisespvtltd@gmail.com
  • Admin Name: Ayush Enterprises



  • Registry ID: CR383877867
  • Name: Satheesh Kumar RST
  • Street: 306, Thangam Complex, T.H. Road,
  • Street: New Washermenpet
  • City: Chennai
  • State/Province: Tamil Nadu
  • Postal Code: 600081
  • Country: IN
  • Phone: +91 8608330505
  • Email: rechargedesk@gmail.com

  • Street: Gujarat
  • Street: Vapi
  • City: Vapi
  • State/Province: Gujarat
  • Postal Code: 396191
  • Country: IN
  • Phone: +91 9016626456
  • Email: bhanushalidarshan5@yahoo.com

http://fastag.app/ and http://fastag.in 


  • Registry ID: CR397133995
  • Name: sankarsh reddy
  • Organization: SANKARSH REDDY
  • Street: PLOT#142, ROAD#72, JUBILEE HILLS
  • State/Province: Telangana
  • Postal Code: 500033
  • Country: IN
  • Phone: +91.4023551902
  • Email: reddy.sankarsh@gmail.com

  • Registry ID: CR358608589
  • Name: Gaganjot Singh
  • Street: Ludhiana
  • City: Ludhiana
  • State/Province: Punjab
  • Postal Code: 141008
  • Country: IN
  • Phone: +91.9876700544
  • Email: singh.gaganjot@gmail.com
  • Admin ID: CR358608596
  • Admin Name: Gaganjot Singh

Though the above mentioned sites are not functional at the moment, there is a chance that they may become available at any time, to host phishing campaigns, by assuming an air of legitimacy. 

These are only a few examples of domains that use some version of “fastag” in their name. There are many more, yet to be listed or found. Some of these domain names, which have not been bought yet, are available at cheap prices.

Lookalike sites available at low prices
Lookalike sites available at low prices

Recruiting other scammers

While scammers directly exploit new FASTag users, they also attempt to recruit other people to carry out such campaigns. Here are examples of such posts, from a private Facebook group, in which a scammer has advertised FASTag as an opportunity to make money. 

Social media posts advertising FASTag as an opportunity to make money
Social media posts advertising FASTag as an opportunity to make money

Selling FASTag distributor rights

Authorized sales and service providers/vendors employ agents to sell and top-up FASTags. However, we have observed the presence of unauthorized people, on closed Facebook groups, who are selling free agent IDs. Which is why, FASTags procured from 3rd party agents, may or may not be genuine.

Here are some examples of Facebook posts offering free Agents IDs. 

Post exhorting people to become FASTag distributors
Post exhorting people to become FASTag distributors


Post exhorting people to sell FASTag
Post exhorting people to sell FASTag

Operating fake FASTag helpline numbers

There are posts on social networking sites that are advertising phone numbers and email ids that are not the official FASTag support contacts. They offer to set up FASTags or provide other related support. Calling such numbers is a sure-fire way to get defrauded.  

Fake number that includes Paytm to add legitimacy
Fake number that includes Paytm to add legitimacy

We also found several unofficial social media accounts listing email ids that mimic the official email contact and vendor names. For example: fastag.hdfcbank@insolutionsglobal.com contains “FASTag” and “HDFC”. Thus, setting up a honeypot, for unsuspecting people looking for genuine support. 

Posts spreading fake emails and phone numbers
Posts spreading fake emails and phone numbers


Example of someone who has reached out to the fake email id for genuine support
Example of someone who has reached out to the fake email id for genuine support

Email ID: onthespot.fastag@gmail.com, virajpathak@gmail.com

Phone Number: 9823017946

Another phishing email id was mentioned as a point of contact on a flagged website. The website promotes this email id for any issues related to FASTag.

Email ID: paytmfastag@gmail.com

Flagged website hosting phishing email id
Flagged website hosting phishing email id

As observed from the above post, threat actors are advertising FASTag at a discounted price of INR 300, even though the original price of INR 500. Subsequently, people tempted by such offers, call these numbers, and become easy victims.

Aveon, advertised as a service provider, has no website
Aveon, advertised as a service provider, has no website

A well-crafted poster appeals to the general public as advertisements for reliable/ legitimate services. Upon investigation, we found that the service provider ‘Aveon’ does not have an official website.

Providing unblocking services for blacklisted FASTags

As with any new service, FASTag has a few ongoing issues. Some tags appear as ‘blacklisted,’ while passing through the toll gate, even though there is sufficient balance in the owner’s wallet. Consequently, scammers are exploiting this loophole in the system, by launching a campaign that offers unblocking of “blacklisted” tags. 


Facebook post offering unblocking service
Facebook post offering unblocking service

How do we avoid becoming victims?

In conclusion, these examples are just a tip of the iceberg, in the zeitgeist of ongoing scams. But they clearly show that if we, as end users of FASTag, are not vigilant, we can become easy victims of these malicious campaigns.  

End user precautions:

  • Don’t rely on individual vendors. Instead, buy FASTags from NTEC or from other official banks.
  • Don’t reveal OTPs received on your phone to anyone via call, or in person.
  • Never fill forms found on blogs or websites with look-alike domains that include the keyword “fastag”. 
  • Never click on hyperlinks provided in phishing emails, especially with subject lines such as “Free FASTag” etc. 
  • Avoid calling random toll free numbers, especially those flashed on third party websites/blogs. And, reach out to NTEC or Official Bank Helplines, for support.
  • Above all, don’t post or tweet any of your personal/transaction details (if you have not received your FASTag after applying for it). As this would help fraudsters customize their approach based on your specific problem. 


SIM Hijacking: An imminent threat to anybody with a phone


Miscreants recently siphoned INR 4.57 million from Creative Engineers’ bank account. The attackers first hacked the proprietor’s gmail account and sent an email to Airtel to confirm the SIM swap. With access to his email and phone number, they were able to gain access to his internet banking credentials, to carry out the attack. The attackers employed SIM hijacking, which is the process of deactivating a SIM and appropriating a phone number, to pass the internet banking authentication.

SIM hijacking bypass 2 step verification
Fig 1: SIM hijacking to bypass 2 step verification

If you have a phone, you are a target.

Other than being a convenient mode of communication, mobile phones also serve as authentication for a variety of services. 

Since password protection alone could not secure accounts, we introduced 2 Factor Authentication, linked to our email or phone number, to protect sensitive accounts. This includes emails, online banking accounts, and cryptocurrency exchanges.

Time has come, to assess if 2 Factor Authentication is still ironclad. Given the success of attacks such as SIM hijacking, it looks like hackers have found a way to get around that as well.


SIM Hijacking is the process through which a hacker confiscates your phone number and deactivates your SIM card, rendering it non-functional.

Getting access to your SIM is usually just one part of a larger scam. In order to siphon your bank accounts or steal sensitive information, a hacker needs access to your account details also. Without which they cannot successfully bypass 2 Factor Authentication.

SIM Hijacking is also used to steal Instagram usernames that are then sold for Bitcoin. This form of attack, though not as rampant, should be monitored, considering the potential impact.

Sophisticated strategies to compromise a phone number

  • SS7 and Diameter attacks function by attacking the underlying telecom network/protocol. This allows an attacker to take over any phone number by intercepting SMS-based tokens, account recovery codes, and calls.
  • IMSI catchers are RF devices that enable an attacker to take over a phone number by intercepting and injecting cell traffic. This method requires physical proximity to the target.

    ISMI catcher used for SIM hijacking

    Fig 3: ISMI catcher used for SIM hijacking

  • SIM Hijacking targets a carrier through conventional attacks, or by social engineering support staff, to take control of a phone number. This is known as SIM porting/hijacking, which is becoming increasingly popular with attackers.

Execution of SIM Hijacking

  • In India, hackers often contact victims, posing as executives from telecom companies, offering better network plans or discounts. They usually verify your full name, address, phone number, DOB, last four digits of social security number (SSN), Aadhaar number, or other security questions. 
  • The attacker then tries to obtain your unique 20-digit SIM number and SIM swap authentication. For example: If you are a Vodafone user, the attacker will use a new Vodafone SIM to process the SIM exchange. Vodafone will send a confirmation SMS on your phone number. And the attacker will instruct you to press a digit to authenticate the SIM swap. Vodafone will then officially initiate the SIM swap.
  • Once the swap is successful, your SIM will stop working and won’t have cell reception. On the other hand, the attacker’s new SIM will be fully functional.
  • The attacker, in most cases, will already have your banking ID and password. All they need is the OTP to perform fraudulent financial transactions. Hijacking your number allows the attackers to pass the 2-step verification process. This gives the hacker access to your accounts across Google, Twitter, Facebook, O365, online banking, and crypto currency trading platforms.


SIM Hijacking process flow

Fig 4. Execution of SIM Hijacking

What if the hacker has an individual’s email ID but not their phone number?
  • With your email ID the hacker will initiate a password reset process for your accounts.
  • The hacker can reset your password using a link or a secret code received via email, SMS, or phone call.
  • To reset a password with an SMS or a phone call, the prompt displays part of the phone number. Depending on the platform, the number of digits visible, may vary. This is because there is no standardized way to mask personal identifiable information (PII) such as phone numbers. For example, Paypal reveals the first digit and the last four digits. While some other platforms show the first digit and the last 2 digits.
  • Similarly, the hacker will use your email on different platforms to reveal more digits of your phone number.
  • A typical Indian mobile number format is: “+91-XXXX-NNNNNN”. The first four digits indicate an operator’s code, while the remaining six digits are unique to the subscriber. The hacker narrows the options by detecting the operator code.
  • There are many ways an attacker can verify if the shortlisted phone numbers are linked to the email address:- Using search engines to check if you have posted your phone number on a forum, website, etc.,
    – Employing online services such as Pipl or Spokeo that have huge databases with personal information
    – Using telephone system online services that allow you to reverse search the owner of a phone by its number.
  • By abusing password reset options, and by brute-forcing using publicly available information, a hacker can obtain your complete phone number.
Reverse search

When the hacker has a phone number, this process is reversed, to obtain the corresponding email ID. Services such as Amazon and Twitter allow password reset using a phone number. For this, a verification link is sent to the associated email ID. The prompt for which, displays a few characters of the email ID. Amazon provides the first and last letter of the username and the full domain. Also, the number of masked characters reveal the length of the username.

Tell-tale signs

Sign of SIM hijacking
Fig 2: Sign of SIM hijacking

While it is incumbent on telecom carriers to enforce stringent measures to prevent attacks that target phone numbers, it is also important for us, as mobile phone users, to be able to identify the signs of a SIM Hijacking attack.

You are a victim of SIM Hijacking if you:

  • Lose cell service for an extended period of time.
  • Get locked out of your email and social media accounts because the passwords have been reset.
  • Receive suspicious calls, during which the executive asks for your personal details or SIM number.

Preventive measures

Another layer of security, while helpful in the short term, won’t be fool proof. As witnessed from the breach of previous security frameworks, hackers will find a way to circumvent the new layer of security as well. So, how do we shield ourselves against SIM Hijacking:

  • Use PIN based authentication. Most carriers offer the option to protect your accounts using a passcode or PIN.
  • Using an authentication app such as Google Authenticator instead of receiving the two-factor authentication code via SMS.
  • Link sensitive accounts to a separate phone number and keep it confidential.
  • Label email addresses and phone numbers. So that the hint prompt displays labels such as “Home phone”, instead of your phone number.


As evident from the recent attack on Creative Engineers, hackers are increasingly resorting to SIM hijacking. And being linked to the services we use every day, makes each of our phone numbers valuable targets.

While telecom operators need to bolster the security of their networks, as users, our best defense is awareness. We can protect ourselves by taking simple precautions and by understanding how scammers orchestrate such attacks.

Figure 1: Homepage of hxxp://paytm-megaoffer.com*

Chronic Phishing Targets Paytm, Flipkart, Amazon users

During the 2019 — 2020 holiday season, XVigil identified several phishing sites targeting popular eCommerce companies. Many of the domains were registered in December and were subsequently taken down after Christmas or New Year. This indicates that the sites’ main targets were shoppers, eager to avail holiday discounts.

Detection of phishing sites

XVigil’s fake domain finder monitors the web for fake or similar looking domains that might infringe on a brand. When we calibrated XVigil to monitor Indian eCommerce companies, we detected a wide range of phishing domains.

Examples of sites detected by XVigil:
Homepage of phishing site hxxp://paytmmallcart.com*
Figure 1: Homepage of hxxp://paytmmallcart.com*



Overall Investigation

  • Firstly, we ascertained the phishing sites’ domain details, including the server, IP, registrant, and admin.
  • Prima facie, we were able to determine that the sites had certain similarities:
    • Irrespective of the eCommerce site being targeted, the most common payment platform was Paytm payment gateway.
    • Many of sites, including 2 Paytm phishing sites (hxxp://paytm-megaoffer.com* , hxxp://wowbuzz4.com/pytm_mall*) were hosted on the same IP. So, both the sites could be the work of the same scammer/ group of scammers.
  • Some sites, though not hosted on the same server, share overall website design, look and feel, site navigation, and data input methods.

Paytm phishing analysis

  • The sites appear familiar and trustworthy because:
    • The look and feel of the sites are similar to the official Paytm site.
    • Usage of Paytm logo.
    • Transacting through the widely trusted Paytm payment gateway.
  • The sites list a limited number of products, but at highly discounted prices. For example: the listed price of the iPhone 11 is INR 5999. And there is a countdown that indicates the offer is valid only for the next few minutes. These factors make it tempting, for even the most discerning of customers, to make hasty purchases.
  • The following characteristics of the sites are proof of the scammers’ rudimentary technical skills:
    • Presence of default or dummy content.
    • Poor web design features such as blurred images and grammatical errors.
    • Poor coding practices such as the absence of validation of details entered in the phone number and pin code fields.
    • The conspicuous lack of https certification.
    • Limited product catalogue.
    • Unbelievably low pricing.

      Dummy content in the blog section of phishing site hxxp://paytmmallcart.com*
      Figure 2: Dummy content in the blog section of hxxp://paytmmallcart.com*
How the phishing sites work

The shopper browses the site and adds the product to the cart.

The iPhone 11 listed for INR 5999 on phishing site hxxp://paytmmallcart.com*
Figure 3: The iPhone 11 listed for INR 5999 hxxp://paytmmallcart.com*

The billing section collects the customer’s personal details including phone number, email id, and address. The scammers could use these details to devise other fraudulent schemes.

Billing page of phishing site hxxp://paytmmallcart.com* collects personal details of users
Figure 4: Billing page of hxxp://paytmmallcart.com* collects personal details of users

The customer is directed to the payment page.

Paytm payment listed as the only payment option on phishing site hxxp://paytmmallcart.com*
Figure 5: Paytm payment listed as the payment option on hxxp://paytmmallcart.com*

The customer then lands on the Paytm payment gateway to complete the transaction.

Users are redirected to Paytm payment gateway.
Figure 6: Users are redirected to Paytm payment gateway

Paytm Payment Gateway Analysis

Many phishing sites, irrespective of the eCommerce company they are targeting, use the Paytm payment gateway. It is notable that there are merchants registered with fake names such as ‘for’. One of the merchants goes by ‘One Communications’. The name closely mimics One97 Communications, which is Paytm’s parent company; lending the site an air of legitimacy.

Paytm payment gateway merchant ‘One Communications’
Figure 7: Paytm payment gateway merchant ‘One Communications’

From the source code of the payment pages we identified the following merchant details:

  • hxxp://paytm-megaoffer.com*
    Merchant: One Communications
    MID: kRdXWH24078674748775
  • hxxp://paytmmallcart.com*
    Merchant Name: for
    MID: GPZvOS78323169981271
  • hxxp://flipkart-loot-offers.com*
    Merchant: Online Mobile Shop
    MID: kLJwiy42558605770665
  • hxxp://newyearflipkart.com*
    Merchant: Lucky Mobile And Lamination
    MID:  nixGaL07658395498481

Source Code Analysis

  • We analysed the source codes of both the sites and discovered that hxxp://paytm-megaoffer.com* was importing the hxxp://wowbuzz4.com/pytm_mall* source code.
  • It was found that hxxp://paytm-megaoffer.com* and hxxp://wowbuzz4.com/pytm_mall* have the same Google Analytics ID (UA-131481750-1). It is uncommon for 2 unrelated sites to have the same Google Analytics ID.

This indicates that both the sites belong to the same scammer/ group of scammers.

Source code of phishing site hxxp://paytm-megaoffer.com*
Figure 8: Source code of hxxp://paytm-megaoffer.com*


The contact details used to register hxxp://paytmmallcart.com* are not available, and that of hxxp://wowbuzz4.com/pytm_mall* cannot be traced back to any person or organization. However, hxxp://paytm-megaoffer.com* can be traced back to Parate Traders, a business in Nagpur.

Despite having different name servers, hxxp://wowbuzz4.com/pytm_mall* and hxxp://paytm-megaoffer.com* are hosted on the same IP. Therefore, whoever runs hxxp://paytm-megaoffer.com*, is likely responsible for hxxp://wowbuzz4.com/pytm_mall* also.

Impact of phishing

Social media post of a user scammed by a Paytm phishing site
Figure 9: Social media post of a user scammed by a Paytm phishing site

Phishing scams are the oldest and most rampant type of cyber threats. They are fairly simple to orchestrate, but have the potential to severely impact a company’s reputation and revenue.

Apart from the targeted eCommerce companies, phishing also damages the reputation of the payment gateway that facilitates the fraud. Paytm for Business enables a variety of online and offline transactions. Hence its reputation, among shoppers and legitimate merchants, will be tarnished by the concerted misuse.

We found a social media poster who claims to have lost money to a Paytm phishing site. Other than the immediate loss of money, users could become victims of other scams that leverage the personal details, collected via the phishing sites.


Considering how easy it is to buy a domain, phishing cannot be tackled by taking down pages or sites. Also, companies often detect phishing sites, only after users have been affected. To begin with, eCommerce companies should proactively monitor and take down phishing sites. In addition, Paytm should also disable/block the scammers’ Paytm for Business accounts. This will hinder transactions on all phishing sites that use the same merchant accounts.

In the long term, eCommerce companies should identify and counteract the servers that host these phishing sites. Furthermore, they should also take action against scammers, whom they can identify, by leveraging the domain details and MIDs.


Phishing sites such as hxxp://paytm-megaoffer.com*, hxxp://wowbuzz4.com/pytm_mall*, and hxxp://paytmmallcart.com*, are not anomalies. When combined with the misuse of Paytm payment gateway, these scams indicate, a concerted effort to exploit Paytm and its users.

A company’s brand image is the fruit of sustained effort and strategic planning. However, it takes only one malicious attack, to undo the hard won trust and goodwill of their customers. And any damage to this intangible asset can have serious and far-reaching consequences.

A continuous monitoring tool, such as CoudSEK’s XVigil, helps companies sustain continual brand scan, to effectively combat fake pages, impostors, rogue applications, and domains.

*Note: All http links have been obfuscated to hxxp to avoid spam alerts. [/vc_column_text][/vc_column][/vc_row]

Dark Web and ATM Hacking

The dark web, which is a component of the deep web, is the nesting ground of online, as well as offline criminal activities. Though most of us have a general understanding of the dark web, we are still unaware of the specific activities it facilitates, and how it affects us on a daily basis.

ATMs are a common part of our everyday lives, yet we know little about how ATMs can be exploited, by even the most novice of attackers. At CloudSEK, we have unearthed a range of techniques and devices, that are used and sold on the dark web, for the purpose of hacking ATMs. 

There used to be a time when hacking an ATM required sophisticated skills and tools. Not anymore. We have encountered amateurs with rudimentary skills, who have hacked ATMs, using the tools and tutorials available on dark web marketplaces. This is possible because the devices sold on the dark web come with detailed instruction manuals. And most of these devices can be operated remotely, using an Antenna, to target systems that run on basic Windows XP. 

ATM Malware Card

On the dark web, anybody can buy an ATM Malware Card, that comes with the PIN Descriptor, Trigger Card and an Instruction Guide. This manual provides step-by-step instructions on how to use the card to suspend cash from ATM machines. Once the ATM Malware card is installed in the ATM, it captures card details of all the customers who subsequently use the ATM. The Trigger card is then used to dispense cash from ATMs.

(Fig.1: Screenshot of dark web shopping site: ATM Malware Card with product description)
(Fig.1: Screenshot of dark web shopping site: ATM Malware Card with product description)

The image above, shows the product description provided on dark web marketplaces, to advertise the features and benefits. This malware mainly targets ATM machines that run on Windows XP. This card is capable of drawing out all the money that is available in the affected machine; which could amount to as much as $500,000. The product description is so detailed that even a layman can use it to hack an ATM. 

USB ATM Malware 

Another prevalent method to fraudulently dispense cash from ATM Machines, is by infecting them with a Malware hosted USB drive. This method also targets  machines that run on Windows XP. 


(Fig.2: Screenshot of dark web shopping site: USB ATM Malware with product description)
(Fig.2: Screenshot of dark web shopping site: USB ATM Malware with product description)

This image describes the product in simple words, with details about what files are contained in the USB drive, and instructions on how to use it to orchestrate an attack.


Apart from individual sellers, there are also online shops that sell such products. One such shop is the ATM Skimmer Shop (all in one), that offers ATM hacking appliances such as EMV Skimmers, GSM Receivers, ATM Skimmers, PoSs, Gas Pumps, Deep Inserts, etc. 

(Fig.3: Screenshot of ATMSKIMMER Shop on the dark web)
(Fig.3: Screenshot of ATMSKIMMER Shop on the dark web)

The same shop also offers prepaid credit cards with high balances at different price points. The shop also updates and stocks itself with the latest cracking devices released in the market, such as POS Terminals, Upgraded Antenna, custom-made ATM Skimmers, RFID Reader/Writer, etc. This shop was previously available on the surface web, but is now available only on the dark web. Here, hacking devices that need be physically attached to ATM machines, such as the ATM Insert Skimmer or Deep insert, are also sold


(Fig.4: Screenshot of dark web shopping site: Deep Insert with product description)
(Fig.4: Screenshot of dark web shopping site: Deep Insert with product description)

The image above describes the benefits of using an insert skimmer to hack an ATM. It is advertised as a “plug and play” product, implying that it is a ready-to-use product. 

Anyone who has access to the dark web and this shop, can order any of their products, hassle-free. Another such online shopping site is the Undermarket that claims to sell bank fullz and physical bank cards on their platform. 

(Fig.5: Screenshot of Undermarket forum posts suggesting the availability of Fullz)
(Fig.5: Screenshot of Undermarket forum posts suggesting the availability of Fullz)

There are underground hacking forums that discuss and sell tutorials on how to hack bank accounts using Botnets, and other such topics. Forums such as Optimus Store, sell these malicious files for $100. 

(Fig.6: Screenshot of dark web forum: Files that aid hacking put for sale)
(Fig.6: Screenshot of dark web forum: Files that aid hacking put for sale)

A recently uncovered, active ATM Jackpotting method that uses a malware, is called Ploutus-D. It works by compromising components of a well-known multivendor ATM software, to gain control over hardware devices such as dispensers, card readers, and pin pads. It allows the hacker to suspend all the cash from affected machines, in a few minutes. The source code for this malware, along with instructions on how to use it, are sold on the dark web.

(Fig.7: Screenshot of shopping site on the dark web: Ploutus-D added to cart)
(Fig.7: Screenshot of shopping site on the dark web: Ploutus-D added to cart)


Be Vigilant

As hacking tools and techniques become ubiquitous, it is important to be aware and vigilant, by understanding new and sophisticated trends in hacking, and how you can defend yourself against them. 

About XVigil

XVigil Solutions provide organizations unified supervision across the internet, their brand, and their infrastructure. It yields analytics and actionable intelligence, needed to tackle external threats, by deploying comprehensive security scans and monitors.

See how XVigil has helped businesses across the globe combat digital risks: https://cloudsek.com/customers/

Learn more about XVigil: https://cloudsek.com/

Opera (Presto) Source Code Leaked on Dark Web

by Rakesh Krishnan

Leaking the source code of the proprietary tools is not a new scenario in the cyber threat arena. Recently, Windows 10 source code was leaked into “Beta Archives’ FTP”; (later removed) which is an active discussion forum on Windows Releases.

Sometimes, it may be an Insider Threat (Breach) or other times, it may be an Intrusion which ultimately classified into “Leaks”.

Few months ago, the source code of the proprietary tool named “Presto”- a browser layout engine used by Opera, was leaked in January 2017 into a code sharing site “GitHub” and later to “BitBucket”. Although Opera is recognized as an open source material in the outer world; the layout engine which they were using earlier was a proprietary product inside the Opera Community.

It was taken down immediately by the DMCA Takedown Request filed by Opera; the complete packages had been removed from multiple code sharing platforms like GitHub and BitBucket.

The netizens had expressed their notion against the takedown of Presto Engine; expressing their views to open source the product; voicing through social media platforms like Reddit and other online forums; but no response hit back.



The whole repository of Presto Engine had come live in the TOR network sited as http://xxxxxxxx5q5s4urp.onion/.

This onion site also provided the ways to download the entire package (which is huge) using the following wget command:

wget -m http://xxxxxxxx5q5s4urp.onion/

In case, if any error occurs while mirroring/downloading the complete onion domain; the site had also facilitated it by subdividing each branch; hence making it into archives format: http://xxxxxxxx5q5s4urp.onion/browser.git/, so that clone command can be used effectively as:

git clone xxxxxxq5s4urp.onion/browser.git

During an investigation, it was found that the onion site had been created on 20th December, 2017 and is hosted on an unstable Nginx server. It was accessible at some time; which makes it unstable.

Hosting the leak in the deep web is a clever method to evade the take downs from DMCA or other legal entities, as the onion domains will not be tracked; and can’t break until it is attacked by any means like DDoS.

Presto was being used by Opera till 2013; switched to WebKit engine.

Although the source code had been in no use; still it can be referenced by anyone to analyze the methods in the Opera community; hence the future proprietary apps from Opera could be using the same strategy for the development.

CloudSEK is a Unified Risk Management Platform. Our AI/ML technology based products XVigil and CloudMon monitor threats originating from the Web, DarkWeb, Deep Web,  Web applications etc.. and provide real time alerts.

Santa-APT: Android and Blackberry Malware Technical Analysis Part 2

CloudSEK is an artificial intelligence technology-based risk monitoring enterprise, which focuses on customized, intelligent security monitors.

CloudSEK’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Artificial Intelligence to identify threats.

The blog is an analysis of some critical information CloudSEK acquired from our data partner.

At CloudSEK we monitor and attribute all potential threats that affect Cloud services. In our previous blog we wrote about a group of attackers code named as Santa-APT that was functioning as a cyber crime unit as well as an APT. This team targeted Cloud servicing vendors as well.

Santa-APT team had multiple games and apps on Playstore as well as other android markets. These games never had all permissions required to do full data theft. The actual malware payloads came as updates.  They not only had Android Malware but Blackberry versions too. In this blog we will provide more technical details regarding their payloads.

Screenshot of Santa-APT mobile malware interface.

Part 1 attribution: https://cloudsek.com/harbour-aimed-a-slowen-down-in-singer-city-screening/

As mentioned before, the payloads come in the form of an Update. Here we are sharing the analysis of three different updates [2 for android and 1 for Blackberry] that are used by Santa-APT.

Android SMS stealers:

These updates are for stealing SMS information, similarly they have updates that can perform various other functionalities as mentioned in our previous article.


MD5 (remote.apk) = af543393e0d6da372cd781a928895c79

MD5 (IncomingSMSApp-1.apk) = 5bd71e7b465c1a8435ff0d4b093289e3sha256






This update steals messages from devices and sends it off to a CNC server. From the looks of it, this is just testing app which will later be integrated to a full-fledged malware.

Sending text message code:

It connects to the backend, which pushes xml. The xmlpullparser modules parses the received xml and executes the tasks in the application accordingly.

Android Call, Camera and GPS collection:


App Name : Android Care

Launcher Display name: update

SHA512(aps.apk)= 92c2979398c7f89c19d2a7e038a4fbca2dce99fc1741382b27abefb46e5fd8ed5c887ff8ca5ec0b39c15f47955e62f3f29a9cd8a6dace3509ce2bcd4975de37c

Malware Class: droidFakePatch

sha256: 21ae32e66f80e8479264163eec340732c05c1f7d7d408c7d2ff623deaba4a920

This module has the functionality to collect call, GPS and camera data. This mostly works on triggers. Like lets say the user is in a specific building , then it sends an sms to the Master number. Various other triggers like talking while driving etc is calculated . It is possible from the admin site to configure what all triggers are configured and so on. This data comes from the server in XML format which is parsed by the Spyware app. We have previously documented the controller interface that does this functionality .

While trying to un-install, it gives an intimidating message like below, where in the user thinks that he should be doing something wrong and doesn’t un-install.

This is achieved by fiddling with the android:label section in the androidManifest.xml file.


From the phone dialer, its possible to check if this spyware is running or not by dailing

*#0006#, this must be added for testing purpose.

Screen Shot 2015-12-30 at 1.10.40 PM

There is an XML endpoint which gets config data such as “set Master Number” etc. The alerts are sent to this number when a trigger is activated.  Following are the data it collects.

Screen Shot 2015-12-30 at 1.13.55 PM


Screen Shot 2015-12-30 at 1.15.55 PM


A module that steals pretty much everything. 

Name: droidFakePatch

Type:  Class file

Signatures :

sha256: 21ae32e66f80e8479264163eec340732c05c1f7d7d408c7d2ff623deaba4a920



The application disguises itself as an android secure patch, when installed disappears from the Android Launcher, which convinces the user to believe that the patch would be applied. The app runs as a background service and provides no GUI or App icons for a user to interact with. It monitors for calls, sms, contacts, Images and Videos in the device and connects to a CNC server over network. While reverse engineering the malware, it appears to be well structured and carefully planned.

Screen Shot 2015-12-30 at 1.48.33 PM


The app requests permissions for almost all the data it needs to spy on. It also requests for certain system level permissions that would be granted if the device running the app runs an outdated version of android, since some permissions were moved to signature level recently in the latest releases of android.

Permissions requested:

– make calls and reroute calls

– read and send sms

– read Bookmark, history

– read/write to SDcard

– full network access

– run at startup

– change system settings, prevent sleep, change audio settings etc

Screen Shot 2015-12-30 at 1.49.03 PM


Once the application has started, it removes itself from the Launcher Screen and starts the background activity. It achieves this by calling the below API.

Screen Shot 2015-12-30 at 1.51.07 PM

Most of application logic is run within the background service. The Controller Class verifies if it’s the first run or not by reading values from shared preferences and issues intents accordingly.


Screen Shot 2015-12-30 at 1.51.48 PM

OnStart Method of the MainService Class also registers an Intent Filter for two events, i.e. android.intent.action.SCREEN_ON, android.intent.action.SCREEN_OFF, which enables the application to be aware of the above events while a user turns on and off his mobile device screen.

Screen Shot 2015-12-30 at 1.52.50 PM

The app then checks for the SimIMSI number, logs SIM change events and updates its internal database. It also logs the users phone number, the state of the phone etc. and also registers observers for contacts, SMS, images and video as shown below. These observers notify the application in their onChange methods, where there is code to update the new entries in the internal database and later upload it to the CNC.

Screen Shot 2015-12-30 at 1.53.05 PM

The application has capabilities for camera, audio, video and call recording which it has permissions for. The data is either stored in the SDcard or within the sandbox and later uploaded to the CNC. The data uploaded is done using plain http, xml data over http as well as by an sftp module.


Application Sandbox:

Most of the structured data; like incoming / outgoing call lists, contacts, SMS, GPS information etc. is stored in the database and uploaded to the CNC when a network connection is available. There are no native binaries used in the application. Shared preferences file is used to maintain the state of service that is run in the background.

Screen Shot 2015-12-30 at 2.00.13 PM

Blackberry Malwares :

The group performed operations similar to the android updates for stealing Blackberry users data.

Name: Update.jar

Type:  Java archive

Signatures :

SHA512(Update.jar)= 0302bbf67937cffc8177511481165ab53d3cbdabfaf2cd2cdfda04633d18b5eedc49a066b593de4f822a301392817b2b047aef276ef8faee7172dc8a5d7f08e2
SHA512(Update.jar)= 73d7afeb0af7efe579ddcefa2823c5f05d4465a93df123e2c3a63fc817283b032c7ecd11e312c0ca8c90e843ebe372771032efcf6c88e1bc84a40cf3fd429449
SHA512(Update.jar)= e97fefb240845e2ddd234dcec13e59ef038229ea42f7bad878fc407f219ff54443b6682aea1dc58fc85d22c45cc3a97e2ec3fd294b06e1262c66fffed2acacd6
SHA512(Update.jar)= e97fefb240845e2ddd234dcec13e59ef038229ea42f7bad878fc407f219ff54443b6682aea1dc58fc85d22c45cc3a97e2ec3fd294b06e1262c66fffed2acacd6
SHA512(Update.jar)= e97fefb240845e2ddd234dcec13e59ef038229ea42f7bad878fc407f219ff54443b6682aea1dc58fc85d22c45cc3a97e2ec3fd294b06e1262c66fffed2acacd6
SHA512(Update.jar)= 73d7afeb0af7efe579ddcefa2823c5f05d4465a93df123e2c3a63fc817283b032c7ecd11e312c0ca8c90e843ebe372771032efcf6c88e1bc84a40cf3fd429449
SHA512(Update.jar)= 0302bbf67937cffc8177511481165ab53d3cbdabfaf2cd2cdfda04633d18b5eedc49a066b593de4f822a301392817b2b047aef276ef8faee7172dc8a5d7f08e2

Blackberry version of the malware steals the following information.

  1. Emails
  2. Media files
  3. Contacts
  4. MMS data
  5. Calendar
  6. Audio recording
  7. SMS
  8. GPS location
  9. Installed applications

Screen Shot 2015-12-30 at 4.06.56 PM


The collected data is uploaded and visualised on the same controller that is used by the android malware. The Blackberry malware uses Blackberry APIs . The code flaw and feature sets are all identical to the android malware. A more detailed analysis would be added if required in our next blog.


Screen Shot 2015-12-30 at 3.59.54 PM


The group has full-fledged malware capable of spying users in almost all avenues possible. Santa-APT team  doesn’t utilize any root / privilege escalation exploits, but makes use of the permissions the user granted it and quietly skims data to the CNC server. Hardcoded server addresses and API endpoints is spread in the binary and the networking module and uses both HTTP and sFTP communication to the CNC. Even though santa-APT had OSX developers and OSX applications, we have not identified any OSX malware form this group.

The target of this APT is so diverse, ranging from government officials, high profile individuals to engineers from technology companies. More attribution , victim informations and artifacts about Santa-APT could be provided on request at [theoracle (-@-) cloudsek.com ]

CloudSEK is thankful to Anto Joseph from garage4hackers for the android malware analysis.

Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps

by Rahul Sasi

CloudSEK is an artificial intelligence technology-based risk management enterprise, which focuses on customized, intelligent security monitors.

CloudSEK’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Machine Learning and Artificial Intelligence to identify threats.

The blog is an analysis of some critical information CloudSEK acquired from our data partner.


CloudSEK monitors were researching the activities of an APT [Advanced persistent threat ] that is targeting software companies globally.What is interesting is this APT appear to conduct widespread intellectual property theft for economic gains, targeted individuals as well as performed intelligence gathering that would be useful for governments. Based on our analysis , the attacker have recently launched campaigns to target Christmas season. Malware masquerades as Santa Claus and many similar Christmas Apps.

Brief Overview :

CloudSEK was monitoring an underground hacking team, that was selling a Desktop malware in various underground forums. The desktop malware is specifically designed for jumping air-gapped systems , and given the type of documents the attackers are seeking , it was collecting classified data from software companies and government organisations.

The desktop malware after successful installation proceeds to callback to its controllers located in Germany . The main attraction of this Trojan is the capability to collect data from air-gapped systems. The trojan gathers system information and disk information and sends that to the controller. The malware collects two sets of data:

  1. Files
  2. Screenshots

One of the features was a USB module that is capable of collecting data from air-gapped systems [No internet access] . This module copies important data from an infected system to a plugged-in USB device till it reaches an infect machine that has got internet access. The malware was also copying trash folder from infected system into a hidden volume on the connected USB .

CloudSEK was able to obtain more information on attackers infrastructure and was able to identify how exfiltrated data was placed on the attacker’s servers . We observed that the data collected  are stored in a folders marked by an infection id on the controllers. Each victim will has an infection id and a folder related to his/her data.

 Screen Shot 2015-12-16 at 1.53.11 AM

Controllers seemed to have almost 120 GB of data as Malware and are constantly collecting critical files from infected machines.  The collected data are kept in their respective folders.


Screen Shot 2015-12-16 at 1.41.06 AM

Even though there were folders for key-logging and voice recording no actual code for this was found within the trojan nor any data on the controllers. It is possible the Trojan is still under development.

Based on many artefacts collected from this malware, controllers as well as passive dns query, its is confirmed that a company based in South Asia is responsible for the development of this malware. This company would be referred as santa-apt from here on.   This company on its website says that they provide software development consultation as well as provides spy softwares to monitor employees. Based on the above, CloudSEK monitors were constantly tracking this hacking team and our trackers were able to find the following information.

  1. CloudSEK found that Santa-APT is recruiting for Mobile App developers.
  2. Many of the developers who are working for Santa-APT has mobile application background [IPhone and Android ].
  3. We identified Santa-APT Mobile malware are masquerading as Games and utilities.
  4. And recently attackers started pushing malware pretending to be Santa Clause games.
  5. We identified many malware controllers used by Santa-APT .
  6. One of the malware controllers managed by Santa-APT belongs to a mobile malware .
  7. The mobile malware controller had nearly 8k infections .

Screenshot of the Android and  iOS Malware used by the team:

Screen Shot 2015-12-16 at 12.54.35 AMScreen Shot 2015-12-16 at 6.04.42 AM

We were able to get more information about the controllers and how collected data was monitored on the controllers. Further in this blog we would explain in detail about the various operations performed by the Mobile malware.

CloudSEK monitors were constantly tracking this hacking team and their infrastructure . While checking the contents of many applications owned by Santa-apt, we identified their mobile malware. The mobile malware after infection connected back to a C&C server over http. This IP was in the same network range as the desktop malware and was hosted in Germany.  The application is a mobile malware admin interface code named as “top gun”. There were almost 8k infected mobile users on that control panel.

CloudSEK was able to collect more data about the internal working of the mobile malware.

The controller had admin users as well as normal users:

Screen Shot 2015-12-16 at 2.42.35 AM


Each infected user data could be viewed by logging in with a username and password on the user panel .

User Data Dashboard:

Screen Shot 2015-12-16 at 2.46.14 AM

The mobile malware had the feature to upload the following data to the control panel.

  1. Contacts
  2. SMS
  3. Call Records
  4. Location Info
  5. Calendar
  6. Camera
  7. Cam Shots
  8. Video
  9. Environment Recordings
  10. Browser History
  11. Program Info
  12. Change Sim Card
  13. Device Status

That’s pretty much everything on the phone. And like every other android malware , the user has to grant permissions for app, and our Santa request for all the possible permissions.

Screen Shot 2015-12-16 at 4.54.45 PM

It has  a feature to upload minute-by-minute location of the user.

Screen Shot 2015-12-16 at 2.56.58 AM

Stolen SMS from infected Phones:

Screen Shot 2015-12-16 at 3.06.00 AM

Attacks were capable to play recorded call messages.

View/play call records:

Screen Shot 2015-12-16 at 3.07.26 AM



Screen Shot 2015-12-16 at 3.10.36 AM

Uploaded gallery contents video/image  from infected phones:
Screen Shot 2015-12-16 at 3.44.40 AM

Environment recordings:

An interesting feature to the controller was an option to send an alert to attacker if his victims leaves a particular region on map or enters a pre set region. This way attackers could track if his victim has reached office or left office. So if victims enters/leaves a pre set location, then the attackers gets an sms notification. Triggers are also made for calls and sms from a preset individual.

Screen Shot 2015-09-24 at 2.17.17 AM

Triggers could be used to record the environment of the user and upload back to the server.

Screen Shot 2015-12-16 at 3.21.04 AM


This Christmas make sure you think about security before installing an app.Verify the permissions you are granting an application before accepting them. Ensure that an application has enough legitimate reviews . And last but not the least, do not let someone else install any application on your official/personal devices.


About CloudSEK:

CloudSEK’s SaaS-based solution monitor client’s online assets from the perspective of an attacker 24/7 . CloudSEK monitor leverages modern machine learning technology to detect threats real time and provide actionable intelligence.
The target of this APT are so diverse, ranging from government officials , high profile individuals to engineers from technology companies .  More attribution , victim informations and artefacts about Santa-APT could be provided on request at [theoracle (-@-) cloudsek.com ]