Phishing targeting HDFC Bank customers

by

Swapneel Patnekar

Security researchers at Shreshta IT, using our threat intelligence platform SDINET, have identified a phishing website and Android app targeting HDFC Bank customers.

About HDFC Bank Limited

HDFC Bank Limited is an Indian banking and financial services company headquartered in Mumbai. It is India’s largest private sector bank by assets and world’s 10th largest bank by market capitalisation as of April 2021. It is the third largest company by market capitalisation of $122.50 billion on the Indian stock exchanges. It is also the fifteenth largest employer in India with nearly 150,000 employees 1

Phishing website HDFC Bank https://hdfcrewwaards[.]in
Image – Phishing website https://hdfcrewwaards[.]in

Modus Operandi (MO)

  • Attackers are sending phishing website link to users via SMS & Whatsapp.
  • The phishing website lures the users to click on the link with an intriguing message “Congratulations Your Card has Been Approved”
  • Clicking on the download link downloads the file hdfc-points.apk (An Android application)
  • The user opens the file hdfc-points.apk, which starts the app installation
  • Android OS depending on configuration and settings, prompts the user to cancel or access settings to allow installation from unknown apps
  • Once the user enables “Allow from this source”, the app is successfully installed
  • The user opens the installed app, which prompts the user to allow Notification access
  • Once the notification access has been granted, the app loads and displays a form, asking the user to enter Personal Identifiable Information (PII), including card details, CVV etc.

Motive – Financial fraud

phishing android app targeting hdfc bank

phishing android app targeting hdfc bank

Threat Indicators Summary

  • hdfcrewwaards[.]in has been created on 2022-09-29
    Domain name registrar – Endurance Digital Domain Technology LLP
  • hdfcrewwaards[.]in resolves to 119.18.54.110
  • 119.18.54.110 belongs to AS394695
  • hdfc-points.apk – sha256 hash : dd9a950964ea2f8359f7d2c6733c1a1ffcb60c5e2d028ba1f5977bd3500fdcd2

Neither the hash of the APK nor the domain name hdfcrewwaards[.]in provides any security insights on VirusTotal.

Hash of phishing android app hdfc-points.apk on VirusTotal
Search of phishing website hdfcrewwaards.in on VirusTotal

At the time of writing this, our security researchers are continuously monitoring our threat intelligence platform SDINET for mapping infrastructure, phishing websites and malicious domain names of the attacker.

While phishing websites targeting banks are pretty standard, the attacker’s method of building a phishing website & Android app targeting HDFC Bank customers is certainly a novel one we’ve observed.

Swapneel Patnekar
Website | + posts