Scammers Impersonate Electricity Board Officials to Gain Device Access & Exfiltrate Funds

We discovered a social engineering campaign launched by threat actors impersonating the official employees of KSEB (Kerala State Electricity Board).The campaign was carried out via text messages which requested the customers to connect with a particular number for assistance with their electricity bill payment.
Updated on
April 19, 2023
Published on
August 25, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Government Motivation: Financial Region: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Social engineering campaign impersonating electricity officials to notify customers about pending bills.
  • Victims are persuaded to disclose sensitive information and download third-party applications.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Third-party apps can be used to gain access to the victim’s device and alter details.
  • Send awareness notifications to customers informing them about the official messages and helpline numbers.
  • Harden the payment portal for the customers to pay the dues.

Analysis and Attribution

Information from the Post

  • CloudSEK’s AI powered Digital Risk Protection (DRP) Platform discovered a social engineering campaign launched by threat actors impersonating the official employees of KSEB (Kerala State Electricity Board).
  • The campaign was carried out via text messages which requested the customers to connect with a particular number for assistance with their electricity bill payment.
  • Upon contacting the given number, victims were instructed to download applications for quick support or to click on URL links, which later compromised the victim's device and banking applications.
  • Victims of this campaign suffered significant financial losses totaling more than INR 10 lakhs.
Messages sent to the customers

Information from OSINT

  • The following three numbers were highlighted in messages sent by the threat actor to customers via WhatsApp and SMS.
    • 7365038099
    • 8388924157
    • 7908919532
  • Using the database of a smartphone application, the following details about the connected numbers were uncovered:
    • All three numbers had the same geolocation, i.e West Bengal, India. This hints at the possible geolocation of the scammers.
    • The mobile number “8388924157” was associated with an ongoing criminal case in Patna Sadar, Bihar. The next hearing of this case is scheduled for November.
[caption id="attachment_20428" align="aligncenter" width="615"]Ongoing case filed against 8388924157 Ongoing case filed against 8388924157[/caption]  
    • The mobile number "7365038099" was seen in a conversation between the affected victims, divulging the TTPs used by the actors and mentioning the scam which resulted in gaining access to WhatsApp (yet to be verified).
[caption id="attachment_20429" align="aligncenter" width="690"]Conversation between affected customers Conversation between affected customers[/caption]  
    • According to data from a payment gateway and an application, the following two names were found associated with the number "7365038099":
      • Sanif Aktar
      • Vijay Vijay Shrma
    • One of the numbers associated with this fake campaign was also found to be associated with the campaign against PAYTM.

Techniques, Tactics, and Procedures (TTPs)

  • The threat actors are targeting customers of KSEB via text messages and WhatsApp.
  • The message templates are designed in a way to create a sense of panic. They carry clauses warning that if the pending bills are not paid by 9:30 p.m., there will be a power outage.
  • The messages also mention a number to contact the officials from the electricity board for further assistance.
  • The scammers are experienced enough to convince the victims to divulge sensitive details like OTP credentials.
  • Once the OTP/credentials are shared, it leads to a loss of funds from the victim’s account.
  • After successfully stealing the victim’s money, the scammers continue to communicate with them and further convince them to download third-party applications, leading to complete access to the victim’s device.
  • This access is later used to completely take over the device and alter the details as required.
  • According to the information gathered from the case filed, it can be concluded that the scammers are experienced in executing social engineering campaigns against various entities.
  • The scammers have the technical knowledge required to work with applications like RemoDroid, QuickSupport Application, AnyDesk, and other remote control applications.

Impact & Mitigation

Impact Mitigation
  • Financial loss to the victims.
  • PII can be exploited to conduct banking frauds and other social engineering attacks.
  • Third-party apps can be used to gain access to the victim’s device and alter details.
  • Actors were luring the victims to divulge the OTP in order to gain access to WhatsApp.
  • Awareness notification to be sent out to customers about the official messages and helpline numbers.
  • Harden the payment portal for the customers to pay the dues.
  • Monitor cybercrime forums to understand the tactics used by actors.

References

Appendix

Geolocation Information of the three contact numbers [caption id="attachment_20433" align="alignnone" width="785"]Details of the case against 8388924157 Details of the case against 8388924157[/caption]   [caption id="attachment_20434" align="alignnone" width="876"]Details of the case against 8388924157 Details of the case against 8388924157[/caption]  
Names associated with 7365038099 Names associated with 7365038099
  [caption id="attachment_20437" align="aligncenter" width="717"]The number associated with PAYTM fake campaign The number associated with PAYTM fake campaign[/caption]   [caption id="attachment_20438" align="aligncenter" width="948"]Report on financial loss suffered by the victims of the campaign Report on financial loss suffered by the victims of the campaign[/caption]   [caption id="attachment_20440" align="alignnone" width="645"]Google Play reviews about the remote control Quick Support applications used by the scammers Google Play reviews about the remote control Quick Support applications used by the scammers[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations