Category:
Adversary Intelligence |
Industry:
Government |
Motivation:
Financial |
Region:
India |
Source*:
A1 |
Executive Summary
THREAT |
IMPACT |
MITIGATION |
- Social engineering campaign impersonating electricity officials to notify customers about pending bills.
- Victims are persuaded to disclose sensitive information and download third-party applications.
|
- PII can be exploited to conduct banking frauds and other social engineering attacks.
- Third-party apps can be used to gain access to the victim’s device and alter details.
|
- Send awareness notifications to customers informing them about the official messages and helpline numbers.
- Harden the payment portal for the customers to pay the dues.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s AI powered Digital Risk Protection (DRP) Platform discovered a social engineering campaign launched by threat actors impersonating the official employees of KSEB (Kerala State Electricity Board).
- The campaign was carried out via text messages which requested the customers to connect with a particular number for assistance with their electricity bill payment.
- Upon contacting the given number, victims were instructed to download applications for quick support or to click on URL links, which later compromised the victim's device and banking applications.
- Victims of this campaign suffered significant financial losses totaling more than INR 10 lakhs.
Messages sent to the customers
Information from OSINT
- The following three numbers were highlighted in messages sent by the threat actor to customers via WhatsApp and SMS.
- 7365038099
- 8388924157
- 7908919532
- Using the database of a smartphone application, the following details about the connected numbers were uncovered:
- All three numbers had the same geolocation, i.e West Bengal, India. This hints at the possible geolocation of the scammers.
- The mobile number “8388924157” was associated with an ongoing criminal case in Patna Sadar, Bihar. The next hearing of this case is scheduled for November.
[caption id="attachment_20428" align="aligncenter" width="615"]
Ongoing case filed against 8388924157[/caption]
-
- The mobile number "7365038099" was seen in a conversation between the affected victims, divulging the TTPs used by the actors and mentioning the scam which resulted in gaining access to WhatsApp (yet to be verified).
[caption id="attachment_20429" align="aligncenter" width="690"]
Conversation between affected customers[/caption]
-
- According to data from a payment gateway and an application, the following two names were found associated with the number "7365038099":
- Sanif Aktar
- Vijay Vijay Shrma
- One of the numbers associated with this fake campaign was also found to be associated with the campaign against PAYTM.
Techniques, Tactics, and Procedures (TTPs)
- The threat actors are targeting customers of KSEB via text messages and WhatsApp.
- The message templates are designed in a way to create a sense of panic. They carry clauses warning that if the pending bills are not paid by 9:30 p.m., there will be a power outage.
- The messages also mention a number to contact the officials from the electricity board for further assistance.
- The scammers are experienced enough to convince the victims to divulge sensitive details like OTP credentials.
- Once the OTP/credentials are shared, it leads to a loss of funds from the victim’s account.
- After successfully stealing the victim’s money, the scammers continue to communicate with them and further convince them to download third-party applications, leading to complete access to the victim’s device.
- This access is later used to completely take over the device and alter the details as required.
- According to the information gathered from the case filed, it can be concluded that the scammers are experienced in executing social engineering campaigns against various entities.
- The scammers have the technical knowledge required to work with applications like RemoDroid, QuickSupport Application, AnyDesk, and other remote control applications.
Impact & Mitigation
Impact |
Mitigation |
- Financial loss to the victims.
- PII can be exploited to conduct banking frauds and other social engineering attacks.
- Third-party apps can be used to gain access to the victim’s device and alter details.
- Actors were luring the victims to divulge the OTP in order to gain access to WhatsApp.
|
- Awareness notification to be sent out to customers about the official messages and helpline numbers.
- Harden the payment portal for the customers to pay the dues.
- Monitor cybercrime forums to understand the tactics used by actors.
|
References
Appendix
Geolocation Information of the three contact numbers
[caption id="attachment_20433" align="alignnone" width="785"]
Details of the case against 8388924157[/caption]
[caption id="attachment_20434" align="alignnone" width="876"]
Details of the case against 8388924157[/caption]
[caption id="attachment_20437" align="aligncenter" width="717"]
The number associated with PAYTM fake campaign[/caption]
[caption id="attachment_20438" align="aligncenter" width="948"]
Report on financial loss suffered by the victims of the campaign[/caption]
[caption id="attachment_20440" align="alignnone" width="645"]
Google Play reviews about the remote control Quick Support applications used by the scammers[/caption]