NEW DELHI: A couple of media companies cited news regarding the hacking of CoWIN App on June 10 around 6 PM. This news was picked up from social media site. Concerned authorities have acknowledged this news and getting this investigated. Prima-Facie observation from them: CoWIN has not been breached.
Our Observations and Finding:
After getting the initial sample of data, its prima facie, from the fake CoWin apps which were circulating in the market when the government announced Vaccination for 18+.
Sample data contains only Name & Mobile Number
During the initial days CoWIN had big technical glitches handling huge amounts of incoming traffic load and most of the times OTP were not coming.
Taking the advantage of general public urgency to get registered on the CoWIN portal for vaccination, Cyber Frauds devised a new method to collect their PII details & trap them.
They came out with quite a few malicious Apps e.g “Covid-19.apk, vaci_regis.apk, myvaccine_v2.apk, cov-regis.apk, vccin-apply.apk”
Modus Operandi of these Fake Apps
This was a part of SMSphing i.e it use to work through SMS. Most of the Apps had common features :
1.Circulate through SMS > Once SMS reaches the inbox of a handheld device, embedded link is clicked and App is installed, it used to collect the complete address book > then further propagation and so on.
2. Once User use to click on the link received through SMS, it is used to install a small app on the mobile phone. Important point to note :- None of these Apps were on Play Store, rather on temporary sites.
3. From functionality Purpose, it used to ask the user to key in the Mobile Number to get the OTP. Once a user use to key in the mobile number after a few seconds the App used to send the self generated OTPs form the application itself. In this way they collected the Mobile number. Here accuracy was higher as people used to give genuine numbers only. For cross verification, App used to say “OTP expired” please try again. People used to key in another number (Nowadays people have more than one mobile number) and try again.
This way they collected maximum numbers.
4. With Mobile Number handy they use to Map it with Actual Name, which is quite common as most of these data are already available.
This had been brought in the notice of Indian CERT & concerned Authorities, and they had already issued warning about this sort of new scam on 8th of May 2021.
Motives : With above compilation fraudsters could make “Genuine Looking Data Set” and started trying to sell them in DarkWeb. Apart from other motives, this is more for the duping Marketing Companies, who always look for precise database of customers for their targeted marketing strategy
Conclusion: Cyber Frauds tried to compile and sell the data by duping gullible/desperate users.
Case Study by: RED Team of Armantec, led by Shamsher Bahadur – Cyber Security Practise Head.
This Article has been Submitted by Armantec Systems Pvt Ltd (www.armantecsystems.com), a Noida Based Threat Intelligence & RED Teaming Consulting Firm, with the prime focus on custom Ransomware Attacks Solution for Critical Information Infrastructures (CIIs).