Phishing Campaign targeting State Bank of India users

Shreshta Threat Intelligence has uncovered a massive phishing campaign targeting State Bank of India users. 

State Bank of India (SBI) is an Indian multinational public sector bank and financial services statutory body headquartered in Mumbai, Maharashtra. SBI is the 48th largest bank in the world by total assets and ranked 221st in the Fortune Global 500 list of the world’s biggest corporations of 2020, being the only Indian bank on the list.¹

State Bank of India users have been a common prey of phishing attacks

The phishing campaign is targeting  State Bank of India users. This campaign involves sending phishing URLs to users via various channels such as email, SMS and WhatsApp. 

The phishing websites are lazily crafted, containing images from the official login page of State Bank of India website. We believe the phishing websites are specifically designed for mobile banking, as evident from the structure and design of the website.

Motive

The motive of the threat actors is to harvest the Personally Identifiable Information (PII) of the user, specifically, the user’s Internet banking credentials, Aadhar Card number, PAN card number and date of birth. 

State Bank of India Phishing campaign Technical Analysis

Phishing websites impersonating State Bank Of India

Figure 1 – Screenshot of the phishing website impersonating State Bank of India.

Notably, a large part of the phishing website has been developed by using images from the official website – https://www.onlinesbi.sbi/

Figure 2 –  The SBI logo and the settings menu are included as an image.

Figure 3 – Security instructions included in the phishing website are also in the form of an image

After clicking on the “Continue to Login” button, the user is redirected to a login page.

Figure 4 – Screenshot of the login page on the phishing website 

Figure 5 – The Image CAPTCHA (image verification)Captcha and the Audio CAPTCHA don’t work since they are mere placeholder images

Figure 6 – New User and Forgot Username and Password links don’t work because they are placeholder images 

After the user submits their internet banking login credentials, the user is redirected to the OTP request page.

Figure 8 – Image screenshot of the OTP page.

Figure 10 – The “Click here to resend the OTP” is an image

• • Figure 11 The phishing page prompts the user to enter their account holder name and date of birth.

Figure 12 – After the user enters the account holder name and the date of birth, an OTP page is presented to the user

Figure 13 – The phishing website then redirects, prompting the user to enter their full name as per their PAN card and their PAN card number

Figure 15 – The page prompts the user to enter their Aadhaar number and their full name as per the Aadhaar card.

Figure 16 – This page prompts the user to enter the OTP 

Figure 17 – After submitting the OTP, the phishing website indicates that it is verifying the details, but after some time it times out. 

Safety Recommendations

1.  An SMS/email/Whatsapp message with a tone of urgency should be dealt with with extreme caution. This is true, especially in the case of any message from the bank.

    

2. Always reach out directly to the bank and verify suspicious messages/emails before taking any action.

    

3. If you become a victim of cybercrime, particularly financial crime, call  the national (India) cybercrime helpline 1930 or file a complaint at https://cybercrime.gov.in/

    

4. Shreshta Protective DNS blocks phishing, malware and other malicious communication in real-time. For enterprises, please email info@shreshtait.com for a free 30-day trial. 

Conclusion

With the growing cyber threat landscape, it’s important to stay vigilant and not fall prey to phishing scams.  Threat actors continue to operate phishing campaigns at scale   

Free 30-day trial of our threat intelligence

Threat actors constantly optimise and evolve their attacks to steal credentials and data and infiltrate networks. Our threat intelligence feeds are highly actionable and curated to protect against phishing, malware, C2 and newly registered domain names. 

Interested? Please send us an email to info@shreshtait.com for a free 30-day trial. 

Swapneel Patnekar

Website | + posts

• Swapneel Patnekar

  https://shreshtait.com/blog/author/pswapneel/

  ShadowFindr – Uncover domain shadowing attacks
• Swapneel Patnekar

  https://shreshtait.com/blog/author/pswapneel/

  Domain shadowing
• Swapneel Patnekar

  https://shreshtait.com/blog/author/pswapneel/

  Web shell – A primer
• Swapneel Patnekar

  https://shreshtait.com/blog/author/pswapneel/

  DNS KeyTrap vulnerability

Pranay Patil

Website | + posts

• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  Web shell – A primer
• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  The rise of phishing attacks targeting Adobe users in India
• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  HDFC Bank customers targeted by a sophisticated Phishing Scam
• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  Threat actors targeting Indian citizens