Online Kerala Lottery – An Investigation into the Impersonation Scam

Summary

Two application that impersonates the Directorate of Kerala Lotteries. These applications lure people into buying lottery tickets online.
Category: Adversary Intelligence Industry Government Country: India Source: B: Usually reliable 2: Probably true

Executive Summary

THREAT IMPACT
  • Two application that impersonate Directorate of Kerala Lotteries viz:
    • Kerala Lottery Online
    • India Kerala Lottery
  • Risk of threat actors exfiltrating sensitive information and orchestrating phishing attacks.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has discovered two applications that impersonate Directorate of Kerala State’s lotteries:
    • Kerala Lottery Online
    • India Kerala Lottery
  • These applications lure people into buying lottery tickets online. Threat actors are using referral links to spread their campaign. To prove legitimacy, threat actors impersonate government entities and create fake advertisements from accounts having 200K+ followers on major social media platforms.
  • Further, threat actors have bought the following domains which act as payment gateway, and allow threat actors to accept payments from major UPI Apps.
    • Upibank.com
    • Upibank.in
    • indiacashpayment.com
    • Ybbpay.net
    • Sliderummy.in
  • The threat actors are using 6 UPI IDs to carry out the transactions.
  • A strong connection was identified between the applications developed in this campaign, and previous campaigns targeting (now banned) Loan Apps. In both campaigns, ‘h5.domainname.tld’ is used to host important content of the website, which indicates that the same group of threat actors or the same SDK is being used to create and launch such campaigns.

Summary /Information on Campaign

  • Two applications hosted on Google Play Store were found impersonating the Online Kerala lottery which operates in Offline mode. They allow you to purchase tickets for online gambling.
    • Kerala Lottery Online
    • India Kerala Lottery
Applications listed on the Play Store, both applications have over 1 Million downloads
Applications listed on the Play Store, both applications have over 1 Million downloads
Applications listed on the Play Store, both applications have over 1 Million downloads
Applications listed on the Play Store, both applications have over 1 Million downloads
 
  • Based on reviews posted on Google Play Store, after successful installation of Lottery application from the play store, it prompts to install a secondary self-hosted APK file.
  • It was found that both applications "Kerala Lottery Online" and “India Kerala Lottery” display the same privacy policy but operate under different names.
  • Upon analysis of these two applications, the following email addresses were listed as developers contact:
  • A review on Google Play Store suggests that the application owners also postpone the draw dates, which is mentioned in the second comment.
  • The applications ask for several permissions and notable among them was the request to install packages (Required to install other applications on your device).
  • Detailed report on the applications

Delivery Mechanism

  • Threat Actors have used a referral program to spread their apps. There were multiple Telegram groups, Youtube videos, Facebook and Twitter posts promoting the scam applications.
  • On the landing page of the referral link, threat actors can be seen mentioning 5% of the winning amount to be shared with all the users of the referral link and a free entry/ticket to the lottery.
  • Logos of Directorate of Kerala State Lotteries, National Informatics Centre, Kerala State logo and India were used.
  • Youtube videos explaining the entire installation and usage procedure for the application were also found. Referral link was also shared by the video uploader in the description of the video.
  • The video explains a different international lottery game, but has a referral link to this campaign.
  • Page about the campaign made on Facebook has 8.2K likes and 33 followers.
  • Videos explaining about the application were also posted on Facebook.
  • Fake profiles on Facebook, using photos of Hollywood actors are being created and used to advertise the application.
  • A Facebook page which mentions a Chinese entity was discovered, but no other mentions of the company were found on the internet.
  • The Twitter account promoting the application has 200K+ followers, and has been promoting this application for over 6 months.
  • Telegram channel, which has a long history of discussing and providing tips on offline lottery numbers is also promoting this application.

Technical Analysis of APK and Infrastructure

Domain names owned by the group

  • keralaticketone.com
  • lotteryadda.com
  • keralaticketonline.com
  • lottomegawin.com
  • kerala-ticket.com
  • Analysis of APK displayed Chinese characters but no significant attribution from China. Thus leading us to believe that a Chinese SDK must have been repurposed to develop the Android Application.
Infrastructure and Attribution on which the Application and Associated domains were hosted IP addresses - Hosted on AWS, with an Elastic Load Balancer
  • 13.234.211.222
  • 13.232.224.42
  • 13.226.22.83
Sub-domains associated with the group infrastructure
m.lotteryadda.com in.lotteryadda.com www.lotteryadda.com
static.lotteryadda.com bapi.testing.lotteryadda.com api.staging.lotteryadda.com
api.game.lotteryadda.com bapi.staging.lotteryadda.com game.static.lotteryadda.com
h5.lotteryadda.com dl.lotteryadda.com lotteryadda.com
dl.game.lotteryadda.com dl2.lotteryadda.com job.staging.lotteryadda.com
Admin.staging.lotteryadda.com Static.staging.lotteryadda.com
  • It has been observed that threat actors use the subdomain pattern with string h5[.]domain to host their content.
  • H5 sub-domains in this campaign -
    • H5.lotteryadda.com
    • H5.keralaticketone.com
    • H5.kerala-ticket.com
    • h5.keralaticketonline.com
  • Other domains owned by the group: These act as the payment gateway URL, wherein the threat actors ask the users to pay via UPI.
    • https//paymentupi.upibank.in
    • https//dashboard.upibank.in
    • https//pay.indiacashpayment.in

UPI Address

UPI ID Company Name
gamecampipp Gamecamp Technologies Private Limited
skenterprisesonline SK Enterprises
aeroglide Aero Glide India Private Limited
nineciytechnologiesipp Nine City Technologies Private Limited
byronipp Byrontec Solutions Private Limited
airpay.techslidet266763 Tech Slide Technology Private Limited

References

Appendix

Home page of the application
Home page of the application
 
Review on Google Play Store
Review on Google Play Store
 
India Kerala Lottery Privacy Policy
India Kerala Lottery Privacy Policy
India Kerala Lottery Privacy Policy
Kerala Lottery Online Privacy Policy
Kerala Lottery Online Privacy Policy
Kerala Lottery Online Privacy Policy
Review on Google Play Store
Review on Google Play Store
 
Permissions required by the application as shown on BeVigil
Permissions required by the application as shown on BeVigil
 
Landing page of the referral link showing logos of Directorate of Kerala State Lotteries, kerala.gov.in, NIC
Landing page of the referral link showing logos of Directorate of Kerala State Lotteries, kerala.gov.in, NIC
 
A youtube video with the referral link in the description
A youtube video with the referral link in the description
 
https://www.youtube.com/watch?v=ken8n8nUT60
https://www.youtube.com/watch?v=ken8n8nUT60
https://www.youtube.com/watch?v=ken8n8nUT60
https://www.facebook.com/people/Kerala-Lottery-Online/100083366756650/
https://www.facebook.com/people/Kerala-Lottery-Online/100083366756650/
https://www.facebook.com/people/Kerala-Lottery-Online/100083366756650/
Fake profile promoting the application
Fake profile promoting the application
Fake profile promoting the application
A page with same name as application having chinese companies name and a now dead link to playstore
A page with the same name as the application having Chinese companies name and a now dead link to playstore
 
Twitter post advertising the application
Twitter post advertising the application
 
This account has 212.4K Followers and has promoted the App multiple times
This account has 212.4K Followers and has promoted the App multiple times
Telegram group advertising the application
Telegram group advertising the application
 
Threat actors also send SMS to invite users to buy tickets on the platform.
Threat actors also send SMS to invite users to buy tickets on the platform.
 
Chinese characters in the source code of the website
Chinese characters in the source code of the website
 
Error generated on the website in Chinese characters
The error generated on the website in Chinese characters
 

Table of Contents

Request an easy and customized demo for free