Phishing targeting HDFC Bank customers

by

Swapneel Patnekar

Threat researchers at Shreshta, have identified a phishing website and Android app targeting HDFC Bank customers.

About HDFC Bank Limited

HDFC Bank Limited is an Indian banking and financial services company headquartered in Mumbai. It is India’s largest private sector bank by assets and world’s 10th largest bank by market capitalisation as of April 2021. It is the third largest company by market capitalisation of $122.50 billion on the Indian stock exchanges. It is also the fifteenth largest employer in India with nearly 150,000 employees 1

Phishing website HDFC Bank https://hdfcrewwaards[.]in
Image – Phishing website https://hdfcrewwaards[.]in

Modus Operandi (MO)

  • Attackers are sending phishing website link to users via SMS & Whatsapp.
  • The phishing website lures the users to click on the link with an intriguing message “Congratulations Your Card has Been Approved”
  • Clicking on the download link downloads the file hdfc-points.apk (An Android application)
  • The user opens the file hdfc-points.apk, which starts the app installation
  • Android OS depending on configuration and settings, prompts the user to cancel or access settings to allow installation from unknown apps
  • Once the user enables “Allow from this source”, the app is successfully installed
  • The user opens the installed app, which prompts the user to allow Notification access
  • Once the notification access has been granted, the app loads and displays a form, asking the user to enter Personal Identifiable Information (PII), including card details, CVV etc.

Motive – Financial fraud

Phishing website of HDFC Bank Credit card.
Phishing website of HDFC Bank Credit card.

Mobile screen showing option to install app from unknown sources.

Fake HDFC Bank credit card installation screen on android

Fake HDFC Bank credit card installation screen on android
Fake HDFC Bank credit card requesting permissions on android.

Fake HDFC Bank credit card asking the user to enter their personal information

Fake HDFC Bank credit card asking the user to enter their personal information

Threat Indicators Summary

  • hdfcrewwaards[.]in has been created on 2022-09-29
    Domain name registrar – Endurance Digital Domain Technology LLP
  • hdfcrewwaards[.]in resolves to 119.18.54.110
  • 119.18.54.110 belongs to AS394695
  • hdfc-points.apk – sha256 hash : dd9a950964ea2f8359f7d2c6733c1a1ffcb60c5e2d028ba1f5977bd3500fdcd2

Neither the hash of the APK nor the domain name hdfcrewwaards[.]in provides any security insights on VirusTotal.

Hash of phishing android app hdfc-points.apk on VirusTotal showing as clean
Search of phishing website hdfcrewwaards.in on VirusTotal showing as clean

At the time of writing this, our threat researchers are continuously monitoring and mapping infrastructure, phishing websites and malicious domain names of the attacker.

While phishing websites targeting banks are pretty standard, the attacker’s method of building a phishing website & Android app targeting HDFC Bank customers is certainly a novel one we’ve observed.

Website |  + posts