BENGALURU: Cybercriminals are continually refining their tactics to evade detection and maximize their haul of sensitive information. Recent trends indicate a shift away from employing brand logos or impersonating phishing websites to more discreet and direct approaches, particularly in the lucrative realm of India’s Banking, Financial Services, and Insurance (BFSI) sector.
A Closer Look at the Scam
Recently, the Bolster Research team conducted a study that uncovered a series of phishing pages. These pages masqueraded as legitimate UPI (Unified Payments Interface) Gateway and recharge service providers while also enticing potential victims with opportunities as retailers and dealerships. However, beneath the facade of legitimate services lurked a nefarious operation aimed at illicitly acquiring personal information, including email addresses, phone numbers, PAN (Permanent Account Number), and Aadhaar Card numbers.
Such stolen data opens the door to a wide range of fraudulent activities, including identity theft and financial fraud.
Possible PAN and Aadhaar Card Scams
In recent reports, several scammers have been apprehended for illicitly acquiring and selling PAN and Aadhaar cards of numerous users. It’s plausible that the exposed phishing campaign was one of the methods used to facilitate these illegal activities.
A Shift in Phishing Tactics
Traditionally, scammers relied on impersonating recognized brands, creating fake websites with logos and brand names to deceive victims. These counterfeit sites were typically detectable using AI tools that analyzed logo patterns, text resemblances, or employed computer vision hashing. However, the latest wave of phishing campaigns indicates a significant shift in tactics.
Rather than mimic well-known brands, threat actors are now masquerading as legitimate businesses, convincing users to divulge personal information, such as Aadhaar Card numbers, PAN numbers, business names, email addresses, and phone numbers. Armed with this information, fraudsters can launch manipulative social engineering attacks against individuals.
The Bolster Research Findings
The Bolster research team made several key findings during their investigation:
- Small Businesses and Local Vendors Targeted: The scams primarily target small businesses and local vendors transitioning to digital transactions but lacking familiarity with payment gateway services.
- Templates and Subscription Models: Over 150 active phishing websites were identified, all using one of three templates and offering similar services. These sites often operate on a subscription model and collect personal information during the registration process.
- Similar to Old Scam Campaigns: Some of these websites are associated with previous scam campaigns, such as the Aadhaar printing scam and UPI reward scam.
- Phishing Kits: The research identified a phishing kit used to create specific phishing websites.
Types of Phishing Websites
The investigation revealed three primary types of phishing websites:
- Impersonating UPI Payment Gateway: These sites offer services like webhook integration, UPI transactions, and bank transactions under a subscription-based model.
- Impersonating UPI123: These sites do not initially request personal information but later demand payment for subscriptions.
- Using Trusted Brand Names: Some phishing websites employ the names of popular UPI wallet and gateway vendors to gain victims’ trust.
Safeguarding Against Phishing
As phishing techniques continue to evolve, it is crucial to implement strategies to protect against these threats:
- Avoid Sharing Sensitive Information: Do not share your Aadhaar number (both 12-digit and 16-digit virtual versions) and PAN number with unfamiliar or unauthorized parties.
- Specify Purpose and Date: When providing photocopies of your Aadhaar and PAN, always specify the purpose and date on the copies, and ensure they are self-attested.
- Secure Your Aadhaar: Visit https://myaadhaar.uidai.gov.in/lock-unlock-aadhaar to generate a 16-digit virtual ID and lock/unlock your Aadhaar details.
- Register Contact Information: Ensure your mobile number and email ID are registered with UIDAI to receive notifications of any Aadhaar verification attempts.
- Official Updates: For updates or changes to personal details, only approach an official Aadhaar and PAN enrollment center.
In an era of rapidly evolving cyber threats, vigilance and caution are our best defenses against falling victim to these sophisticated phishing campaigns. It is essential for individuals and businesses to stay informed and take proactive measures to protect their sensitive data.
Follow The420.in on