ID Card Printing Scams Orchestrated by UP-Based Group Defrauds the Indian Public

ID Card Printing Scams Orchestrated by UP-Based Group Defrauds the Indian Public

Researcher: Aarushi Koolwal
Analysts: Abhinav Pandey & Vikas Kundu
Editor: Benila Susan Jacob

Despite India’s digital revolution, a large swath of the population still prefers physical copies over their digitized counterparts, especially when it comes to ID cards such as driving licenses, Aadhaar, etc. This need accounts for the existence of corner shops that provide ID printing services. However, with physical stores shutting down due to the pandemic, many have turned to the internet to avail of ID printing services.

This trend has led to threat actors jumping on the bandwagon by hosting fake websites and impersonating major Indian firms that claim to deliver hard copies of ID cards. Scores of Indian citizens have fallen prey to this scam. Since individual losses only amount to a few hundred rupees, victims and law enforcement are not in any hurry to dismantle these campaigns. But given the scale of the operation, it deserves closer investigation.

In this blog, we delve into the modus operandi of an Uttar Pradesh based group that is running a large-scale ID Card printing scams campaign impersonating popular Indian brands to defraud the Indian public.

UP Based Group Running Large-Scale ID Card Printing Scams

CloudSEK’s contextual AI digital risk platform XVigil uncovered an Uttar Pradesh based threat group operating hundreds of fake ID printing websites, with the following shared characteristics:

  • The domains impersonate popular Indian brands including various telecommunication providers, banks, payment wallets, courier services, etc. This includes Fino Payments Bank, DTDC, India Post, etc., to present themselves as a legitimate business.
  • The threat group employs Google Ads, social network pages, and SEO optimization techniques to distribute and popularize these domains.
  • The websites offer printing services for ID cards like Aadhaar, PAN, driver’s license, account opening, etc.
  • Victims are duped into sharing their PII (Personally Identifiable Information) and OTPs on a KYC portal integrated with popular payment channels.
  • Threat actors can sell the PII or use it to orchestrate other scams. They also use the OTPs to gain access to victims’ accounts to lock them out and carry out unauthorized transactions.

Rise in Printing Service Scams in India

There has been a significant increase in the usage of Aadhaar recently and the demand for Aadhaar-based authentication grew between 2018 and 2021(UIDAI Annual Report (2020-21). This increase can be attributed to the enhanced use of Aadhaar along with other two-factor authentication methods (2FA). The graph below depicts the use of Aadhaar for authentication and it can be seen touching an all-time high of 1,413.40 crore transactions in the 2020-21 fiscal year.

Graph depicting the rise in Aadhaar-based authentication in 2017-18 and then again in 2020-21 (Source: UIDAI)
Graph depicting the rise in Aadhaar-based authentication in 2017-18 and then again in 2020-21 (Source: UIDAI)

 

Whois data on newly registered domains reveals a noteworthy correlation between the number of malicious domains registered in 2020-21 and the hike in Aadhaar based authentication.

Malicious domains registered each year (Source: Whois)
Malicious domains registered each year (Source: Whois)

 

CloudSEK’s Investigation of ID Printing Scams

XVigil’s routine scanning identified multiple fake domains advertising cheap printing and laminating services to scam people. Further investigation revealed multiple fraudulent websites advertising similar services with fake customer support numbers concentrated in the Western Uttar Pradesh region. A thorough examination of the campaign revealed that these websites are part of a large-scale campaign involving unauthorized access to victims’ KYC portals. Multiple complaints have been posted by the victims of these scams on various social media platforms such as Twitter and Facebook.

Flowchart representing the outline of the scam
Flowchart representing the outline of the scam

 

Anatomy of the Scam

Luring Victims to the Malicious Domains

Unsuspecting users are deceived into visiting these malicious websites either in direct or indirect ways.

The Direct Method

This is a method of spamming victims with messages, emails, or social media communication which contain URLs of the malicious websites, along with the promise of partnership and financial returns. The lure of easy money prompts the user into clicking the link and visiting the malicious website.

The Indirect Method

In this method, the malicious domains are distributed using SEO (Search Engine Optimization) techniques or other Social Media platforms.

SEO Technique
  • The malicious domains are strategically placed in Google search engine queries using SEO techniques and optimized with multiple keywords related to Aadhaar, PAN, Voter ID, etc.
  • For example, the malicious domains aadharprint[.]in and digitalfastprint[.]in are ranked second and fifth respectively, following the original website.
  • Such high SERP(Search Engine Results Pages) positions are formulated by employing multiple blackhat SEO techniques like adding a large number of unsolicited backlinks.
Social Media
  • The malicious links are distributed to users via sites such as Facebook, Twitter and YouTube.
  • Research uncovered multiple Youtube videos and channels with many views. These were embedded with the links associated with these malicious domains.
Image depicting Maryam OSINT scan results for roboprints[.]in & digitalfastprint[.]in
Image depicting Maryam OSINT scan results for roboprints[.]in & digitalfastprint[.]in

Overview of the Campaign

  • XVigil detected hundreds of URLs, spreading the campaign, which had 9 common root domains.
  • Of the root domains investigated, roboprints[.]in and digitalfastprint[.]in received the highest portion of traffic, 32.7% and 22% respectively.
  • Other prominent domains were ukprintz[.]xyz, ecyberlink[.]in, and aadharprint[.]in, which received 14.3%, 9.5%, and 4.8% of the traffic respectively.
Chart depicting traffic for Root malicious domains
Chart depicting traffic for Root malicious domains

 

  • Each domain has multiple subdomains with correlations to other malicious root domains. For example, the aadharprint[.]in has a subdomain named shivyog[.]aadharprint[.]in, which resembles shivyogprint[.]info, indicating that the domains could be owner by a single entity.
Image depicting Subdomains of ‘aadharprint[.]in’
Image depicting Subdomains of ‘aadharprint[.]in’
  • Currently there are a total of 69 domains still functioning, with a considerable number of inactive subdomains, which were either active in the past or can be utilized in the future when taken down.
  • Majority of these domains are hosted on Publicdomainregistry[.]com (12) and godaddy[.]com (17) using various TLD(Top level domain).
  • 11 of the domains used .in, 10 used .com, 4 used .online, 3 used .info and one each used .us and .top.
  • The domains also employ security solutions such as Cloudflare and Litespeed WAF.
  • CloudSEK has learnt from a confidential source that these websites use a database called ‘adhaar’ with a table named ‘Detailorder_mst’ containing 54,452 entries, collected over time.
  • Most of these domains contain logos and links of UIDAI and other governmental agencies.
  • A major chunk of the websites observed had poor frontend design and grammatical errors.

Detailed Analysis of the Fake Domains Discovered

The malicious domains uncovered as a part of CloudSEK’s investigation had the following shared characteristics:

  • The websites advertised services such as:
    • Registration services for Ayushman Bharat
    • Account opening services for Kotak, RBL, Indusind, and ICICI banks at INR 99.
    • PAN and NSDL registration services
    • Wallet recharge services
    • Passbook printing services
    • Services for Fino, NSDL, India Post, and other wallet services.
    • QR code scanner
    • Aadhaar card lamination services
  • Sign-up and Sign-in pages require phone numbers and emails as inputs.
  • Logos of prominent organizations such as Fino Payment Bank.
  • Logos of government services including Ayushman Bharat, E-shram, etc.
  • Fake customer care numbers and WhatsApp support services.
  • Listed legitimate payment partners such as PayU.
  • India Post and DTDC are listed as delivery partners.
  • Social media presence with around thousands of followers on Facebook.

Identifying the Scammers

  • One of the threat actors connected to this scam is the owner of the phone number 88659 53003, obtained from one of the phishing websites, printkaro[.]xyz.
  • The actor has written an Amazon review in which they stated belonging to Najibabad, Uttar Pradesh. (For more information refer to the Appendix)
  • Most phone numbers listed on the scam sites belong to individuals in Uttar Pradesh West. Thus, it can be inferred that the scammers are based in Najibabad, Uttar Pradesh, India.

Fake Customer Care Numbers Uncovered

Phone Name Email (If any) Location
97615 02188 Aman Kumar N/A Uttar Pradesh West
97615 02191 Liza Khan [email protected]
76185 33517 New Print/ Mohd Faiz [email protected] Uttar Pradesh West
9546801090 Gungun Mobile N/A Bihar
8340469639 Gungun Mobile Shop Pachrukhiya Internet World/ Rahul Patel [email protected] Bihar
9761502183 N/A N/A Uttar Pradesh West
9761502184 Print Karo Office [email protected] Kolkata
8865953003 Digital Pan Banking [email protected] Uttar Pradesh West
9152500514 Raj Br N/A Mumbai
9536878878 Kendra [email protected] Uttar Pradesh West
9760606361 Aadharsmartcard N/A Uttar Pradesh West
01341-297075 Washif New Print N/A Uttar Pradesh West

Impact of the Scam

A Tweet from 2017 about a scam platform dubbed “Maza Aadhaar” The 2016 “Maza Aadhaar” scam targeted users in the pretense of Aadhaar plastic card printing services
  • Threat actors can leverage the PII to carry out other social engineering attacks, identity thefts, phishing attacks, etc.
  • OTPs can be used to carry out unauthorized transactions on the victims’ bank accounts.
  • Threat actors can register SIM cards in the name of the victim and use them for illegal activities.
  • Aadhaar card and PAN card details can be used to create fake bank accounts, apply for loans, or to carry out other malicious activities.
  • In a recent scam targeting, fraudsters had reportedly used the PAN details of victims to avail instant loans through a loan application.

Mitigation Measures

  • Avoid clicking on suspicious links.
  • Ensure the usage of MFA (Multi-Factor Authentication) and do not share OTPs. .
  • Enter your ID data on official government websites only(sites with .gov extensions). Be cautious when entering it on any other sites.
  • Ignore emails and messages from unknown sources, especially with some sort of monetary value attached. If possible, use an anti-spam solution for your email and anti-virus on your device.
  • If you come across a malicious domain, look up its registrar on whois.com and report the abuse.

References

 

Appendix

Account opening services on newprint[.]in
Account opening services on newprint[.]in
Snapshot of an Amazon review by the threat actor
Snapshot of an Amazon review by the threat actor

 

Image depicting “aadhaar print” search results on google
Image depicting “aadhaar print” search results on google

 

The customer care number provided on the website
The customer care number provided on the website

 

Snapshot from the Contact page of newprint[.]in
Snapshot from the Contact page of newprint[.]in
Images associated with “Gungun mobile shop pachrukhiya”
Images associated with “Gungun mobile shop pachrukhiya”

 

Images associated with the phone number 8865953003

 

Index page of aadhaarsmartcard[.]com
Index page of aadhaarsmartcard[.]com
Ayushman Bharat registration form on newprint[.]in
Ayushman Bharat registration form on newprint[.]in
Services related to NSDL on newprint[.]in
Services related to NSDL on newprint[.]in

e-NSDL Registration form on newprint[.]in
e-NSDL Registration form on newprint[.]in
Services related to NSDL on newprint[.]in
Services related to NSDL on newprint[.]in
 

UCL services on newprint[.]in
UCL services on newprint[.]in
Passbook print page of newprint[.]in asks for users’ account details
Passbook print page of newprint[.]in asks for users’ account details

 

A user complaining about a fake website having access to the aadhaar database
A user complaining about a fake website having access to the aadhaar database

 

Payment Gateway of a malicious domain page
Payment Gateway of a malicious domain page

 

 

Newprint[.]in mentioned on the Cancellation and Refund Policy page
Newprint[.]in mentioned on the Cancellation and Refund Policy page
Pre-payment page displays a logo of New Print
Pre-payment page displays a logo of New Print

 

Sign-in page of newprint[.]in
Sign-in page of newprint[.]in
Keywords used by threat actors for SEO optimization of Newprint[.]in
Keywords used by threat actors for SEO optimization of Newprint[.]in
Snapshots from the source code of newprint[.]in
Snapshots from the source code of newprint[.]in
Sign-in page of newprint[.]ind[.]in
Sign-in page of newprint[.]ind[.]in
A Tweet claiming newprint[.]in and newprint[.]ind[.]in are running a scam
A Tweet claiming newprint[.]in and newprint[.]ind[.]in are running a scam
Customer care numbers listed on newprint[.]ind[.]in
Customer care numbers listed on newprint[.]ind[.]in
Snapshot from the Refund Policy section of newprint[.]in
Snapshot from the Refund Policy section of newprint[.]in
Snapshot from a Facebook profile stating Aadhaarsmartcard[.]com as a fraud service
Snapshot from a Facebook profile stating Aadhaarsmartcard[.]com as a fraud service
Image depicting a user complaining about the fake printing service along with a payment screenshot
Image depicting a user complaining about the fake printing service along with a payment screenshot

 

Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
This is Alt
Cyber Intelligence Analyst, CloudSEK
Total Posts: 1
Abhinav is a Cyber Threat Researcher at CloudSEK. He has been engaged in offensive Pentesting and OSINT. Apart from CloudSEK, He has been an enthusiastic contributor to Social Causes such as Diversity in Infosec. Abhinav also Leads a Music band as a Lead Singer and loves Playing Guitar!
Total Posts: 0
Sorry! The Author has not filled his profile.
Total Posts: 0
Sorry! The Author has not filled his profile.
×
Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
Latest Posts
  • ID Card Printing Scams Orchestrated by UP-Based Group Defrauds the Indian Public
  • Social Media Nexus Spreads Color Prediction Games that Defraud Users