Figure 1: Homepage of hxxp://paytm-megaoffer.com*

Chronic Phishing Targets Paytm, Flipkart, Amazon users

During the 2019 — 2020 holiday season, XVigil identified several phishing sites targeting popular eCommerce companies. Many of the domains were registered in December and were subsequently taken down after Christmas or New Year. This indicates that the sites’ main targets were shoppers, eager to avail holiday discounts.

Detection of phishing sites

XVigil’s fake domain finder monitors the web for fake or similar looking domains that might infringe on a brand. When we calibrated XVigil to monitor Indian eCommerce companies, we detected a wide range of phishing domains.

Examples of sites detected by XVigil:
Homepage of phishing site hxxp://paytmmallcart.com*
Figure 1: Homepage of hxxp://paytmmallcart.com*

hxxp://paytm-megaoffer.com*
hxxp://wowbuzz4.com/pytm_mall*
hxxp://paytmmallcart.com*
hxxp://flipkart-loot-offers.com*
hxxp://newyearflipkart.com*
hxxp://flpkartchrismus.com*
hxxp://amaazon.club*
hxxp://amozonsale.online*
hxxp://amaz-onofferzz.in*

 

Overall Investigation

  • Firstly, we ascertained the phishing sites’ domain details, including the server, IP, registrant, and admin.
  • Prima facie, we were able to determine that the sites had certain similarities:
    • Irrespective of the eCommerce site being targeted, the most common payment platform was Paytm payment gateway.
    • Many of sites, including 2 Paytm phishing sites (hxxp://paytm-megaoffer.com* , hxxp://wowbuzz4.com/pytm_mall*) were hosted on the same IP. So, both the sites could be the work of the same scammer/ group of scammers.
  • Some sites, though not hosted on the same server, share overall website design, look and feel, site navigation, and data input methods.

Paytm phishing analysis

  • The sites appear familiar and trustworthy because:
    • The look and feel of the sites are similar to the official Paytm site.
    • Usage of Paytm logo.
    • Transacting through the widely trusted Paytm payment gateway.
  • The sites list a limited number of products, but at highly discounted prices. For example: the listed price of the iPhone 11 is INR 5999. And there is a countdown that indicates the offer is valid only for the next few minutes. These factors make it tempting, for even the most discerning of customers, to make hasty purchases.
  • The following characteristics of the sites are proof of the scammers’ rudimentary technical skills:
    • Presence of default or dummy content.
    • Poor web design features such as blurred images and grammatical errors.
    • Poor coding practices such as the absence of validation of details entered in the phone number and pin code fields.
    • The conspicuous lack of https certification.
    • Limited product catalogue.
    • Unbelievably low pricing.

      Dummy content in the blog section of phishing site hxxp://paytmmallcart.com*
      Figure 2: Dummy content in the blog section of hxxp://paytmmallcart.com*
How the phishing sites work

The shopper browses the site and adds the product to the cart.

The iPhone 11 listed for INR 5999 on phishing site hxxp://paytmmallcart.com*
Figure 3: The iPhone 11 listed for INR 5999 hxxp://paytmmallcart.com*

The billing section collects the customer’s personal details including phone number, email id, and address. The scammers could use these details to devise other fraudulent schemes.

Billing page of phishing site hxxp://paytmmallcart.com* collects personal details of users
Figure 4: Billing page of hxxp://paytmmallcart.com* collects personal details of users

The customer is directed to the payment page.

Paytm payment listed as the only payment option on phishing site hxxp://paytmmallcart.com*
Figure 5: Paytm payment listed as the payment option on hxxp://paytmmallcart.com*

The customer then lands on the Paytm payment gateway to complete the transaction.

Users are redirected to Paytm payment gateway.
Figure 6: Users are redirected to Paytm payment gateway

Paytm Payment Gateway Analysis

Many phishing sites, irrespective of the eCommerce company they are targeting, use the Paytm payment gateway. It is notable that there are merchants registered with fake names such as ‘for’. One of the merchants goes by ‘One Communications’. The name closely mimics One97 Communications, which is Paytm’s parent company; lending the site an air of legitimacy.

Paytm payment gateway merchant ‘One Communications’
Figure 7: Paytm payment gateway merchant ‘One Communications’

From the source code of the payment pages we identified the following merchant details:

  • hxxp://paytm-megaoffer.com*
    Merchant: One Communications
    MID: kRdXWH24078674748775
  • hxxp://paytmmallcart.com*
    Merchant Name: for
    MID: GPZvOS78323169981271
  • hxxp://flipkart-loot-offers.com*
    Merchant: Online Mobile Shop
    MID: kLJwiy42558605770665
  • hxxp://newyearflipkart.com*
    Merchant: Lucky Mobile And Lamination
    MID:  nixGaL07658395498481

Source Code Analysis

  • We analysed the source codes of both the sites and discovered that hxxp://paytm-megaoffer.com* was importing the hxxp://wowbuzz4.com/pytm_mall* source code.
  • It was found that hxxp://paytm-megaoffer.com* and hxxp://wowbuzz4.com/pytm_mall* have the same Google Analytics ID (UA-131481750-1). It is uncommon for 2 unrelated sites to have the same Google Analytics ID.

This indicates that both the sites belong to the same scammer/ group of scammers.

Source code of phishing site hxxp://paytm-megaoffer.com*
Figure 8: Source code of hxxp://paytm-megaoffer.com*

Attribution

The contact details used to register hxxp://paytmmallcart.com* are not available, and that of hxxp://wowbuzz4.com/pytm_mall* cannot be traced back to any person or organization. However, hxxp://paytm-megaoffer.com* can be traced back to Parate Traders, a business in Nagpur.

Despite having different name servers, hxxp://wowbuzz4.com/pytm_mall* and hxxp://paytm-megaoffer.com* are hosted on the same IP. Therefore, whoever runs hxxp://paytm-megaoffer.com*, is likely responsible for hxxp://wowbuzz4.com/pytm_mall* also.

Impact of phishing

Social media post of a user scammed by a Paytm phishing site
Figure 9: Social media post of a user scammed by a Paytm phishing site

Phishing scams are the oldest and most rampant type of cyber threats. They are fairly simple to orchestrate, but have the potential to severely impact a company’s reputation and revenue.

Apart from the targeted eCommerce companies, phishing also damages the reputation of the payment gateway that facilitates the fraud. Paytm for Business enables a variety of online and offline transactions. Hence its reputation, among shoppers and legitimate merchants, will be tarnished by the concerted misuse.

We found a social media poster who claims to have lost money to a Paytm phishing site. Other than the immediate loss of money, users could become victims of other scams that leverage the personal details, collected via the phishing sites.

Mitigation

Considering how easy it is to buy a domain, phishing cannot be tackled by taking down pages or sites. Also, companies often detect phishing sites, only after users have been affected. To begin with, eCommerce companies should proactively monitor and take down phishing sites. In addition, Paytm should also disable/block the scammers’ Paytm for Business accounts. This will hinder transactions on all phishing sites that use the same merchant accounts.

In the long term, eCommerce companies should identify and counteract the servers that host these phishing sites. Furthermore, they should also take action against scammers, whom they can identify, by leveraging the domain details and MIDs.

Conclusion

Phishing sites such as hxxp://paytm-megaoffer.com*, hxxp://wowbuzz4.com/pytm_mall*, and hxxp://paytmmallcart.com*, are not anomalies. When combined with the misuse of Paytm payment gateway, these scams indicate, a concerted effort to exploit Paytm and its users.

A company’s brand image is the fruit of sustained effort and strategic planning. However, it takes only one malicious attack, to undo the hard won trust and goodwill of their customers. And any damage to this intangible asset can have serious and far-reaching consequences.

A continuous monitoring tool, such as CoudSEK’s XVigil, helps companies sustain continual brand scan, to effectively combat fake pages, impostors, rogue applications, and domains.

*Note: All http links have been obfuscated to hxxp to avoid spam alerts. [/vc_column_text][/vc_column][/vc_row]

Written by :

Ashok Krishna is a Threat Intelligence Analyst at CloudSEK. With 4 years of cyber security experience, he specializes in Threat Investigation and DFIR (Digital Forensics and Incident Response Distribution). He also participates in ethical hacking contests, tweets about cyber threats, and watches thrillers on the weekends.

Deepanjli is CloudSEK's Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between.