Empty shopping cart

Online Shopping frauds in India

Executive Summary

Since October 2023, our threat intelligence team has been tracking online shopping frauds in India, targeting e-commerce platforms such as DMart, JioMart, Flipkart, Amazon, Tata Croma and Tata 1mg.

These deceptive websites lure users with substantial discounts, enticing offers, and prizes in an attempt to extract Personally Identifiable Information(PII) and payment details of the user. The phishing websites closely resemble the appearance of authentic e-commerce websites.

Motive

The motive of the threat actors is financial fraud and to harvest the Personally Identifiable Information (PII) of the user not limiting to,

  • The name and address
  • The contact number
  • Debit/Credit Card details

Technical analysis of online shopping fraud websites

In this section, we will explore a few of online shopping frauds in India.

Phishing website #1 impersonating Flipkart

Phishing website impersonating FlipkartFigure 1 – Screenshot of the phishing website impersonating Flipkart

The deceptive website lures users with a good-to-be-true offer – a Tata Nexon car!

Phishing page of Flipkart- Product page

Figure 2 – The product page of the phishing website

Phishing page displaying prizesFigure 3 – The page displays a list of prizes on offer 

Phishing page displaying  user instructions

Figure 4 – The page provides instructions on how users can win the prizes

Phishing page displaying list of winners.Figure 5 – The page displays a list of winners

Phishing page prompting users to enter phone number to check if they have won a prize

Figure 6 – The page urges users to enter their contact number to verify if they have won a prize.

Phishing page displaying terms and conditionsFigure 7 – A page displaying the terms and conditions page of the phishing website

Phishing page displaying contact pageFigure 8 – Screenshot of the contact page on the phishing website.

Phishing website #2 impersonating Flipkart

Phishing page #2 impersonating Flipkart
Figure 9 – Screenshot of the phishing website #2 impersonating Flipkart

Phishing page requesting user to enter their address
Figure 10 – Upon clicking on “Buy Now” the user is prompted to enter their address

Phishing website accepting user input and asking them to continueFigure 11 – The website accepts any details and prompts the user to continue

Phishing web page user to select payment method

Figure 12 – The payment page prompts the user to select a payment method

Phishing website generates fake order IDFigure 13 – The website generates a fake order ID and prompts the user to make the payment using UPI

Phishing website impersonating Amazon

Phishing website impersonating Amazon

Figure 14 – Screenshot of the phishing website impersonating Amazon

Phishing page of Amazon- Product page
Figure 15 –  The product page of the phishing website

Clicking on “MORE DETAILS” redirects the user to the next page, where they are prompted to purchase the device.

Phishing website redircting to legitimate Amazon websiteFigure 16 – Upon clicking “BUY NOW,” the user is redirected to the authentic Amazon site.

Phishing website #1 impersonating DMart

Phishing site impersonating DMartFigure 17 – Screenshot of the phishing website impersonating DMart

Phishing site of DMart order now page

Figure 18 – Screenshot of the “ORDER NOW” page of the phishing page

Phishing page of DMart -Shopping cart

Figure 19 – The Shopping Cart of the phishing website

Phishing page of DMart- Payment pageFigure 20 – Payment page requiring the users PII and payment details

Phishing page of DMart redirects user after payment button clicked

Figure 21 – After clicking on “Pay,” the user is redirected to another page and prompts the message.

Phishing website #2 impersonating DMart

Phishing website-2 of DMart

Figure 22 – Screenshot of the phishing website #2 impersonating DMart

Phishing site-2 of DMart login page

Figure 23 – Login page on the phishing website

The website displays an error when attempting to log in with invalid credentials.

Phishing site-2 of DMart prompting user to create account
Figure 24 – Create account page on the phishing website

The phishing website accepts any details and allows the user to login without email verification.

Phishing website-2 of DMart shopping cart

Figure 25 – Shopping cart on the phishing website

Phishing page-2 of DMart requesting PII

Figure 26 – The payment page prompts the user for PII details

After entering the details, selecting the payment method and submitting the form, the website throws an error “Client_id Missing From The Provided Configuration. Please Add Your Application Client_id.”

Phishing website #3 impersonating DMart

Phishing website-3 impersonating DMartFigure 27 – Screenshot of the phishing website impersonating DMart

Phishing website-3  redirecting to cart after product is chosen

Figure 28 – After choosing the product, the user is redirected to the cart.

Phishing website-3 prompting user to enter PII
Figure 29 – The Billing Details page prompts the user to enter their PII details and card details

Phishing website-3 accepting user data asks to download APK fileFigure 30 – The billing page accepts any details.

The phishing website prompts the user to download a DMart APK to finalize the pending order.

Phishing website-3  APK file flagged as malicious by vVirus Total

Figure 31 – VirusTotal identifies the APK from the phishing website as malicious

Phishing website impersonating Tata Croma Electronics

Phishing website impersonating Croma

Figure 32 – Screenshot of the home page of the phishing website impersonating the Croma store

Phishing website of Croma products page

Figure 33 – Screenshot of the products page of the phishing website

Phishing website of Croma prompting user to enter PII

Figure 34 – Upon selecting “Buy Now,” the user is prompted to enter PII and payment details.

Phishing website impersonating JioMart franchisee application website

Phishing website impersonating JioMart

Figure 35 – Screenshot of the phishing website impersonating JioMart franchisee application website

Phishing website of JioMart prompting user to enter personal details

Figure 36 – After clicking on “Apply Now,” the user is prompted to fill out a form.

Phishing website of JioMart application successful message
Figure 37 – After the user submits the form, the user is informed that their application was successful and a representative will contact them soon.

Phishing website impersonating JioMart

Phishing website -2 of JioMart

Figure 38 – Screenshot of the phishing website impersonating JioMart

Phishing website-2 of JioMart prompting user to proceed to payment page
Figure 39 – After clicking on “Buy” the user is asked to Proceed to payment page

Phishing website-2 of JioMart prompting user to enter credit card number and personal details
Figure 40 – The payment page prompts the user to enter their personal details and credit card information.

Phishing site-2 of JioMart accepting false credentials and asking to download APK file

Figure 41 – The payment page accepts false details and asks the user to confirm their order

After confirming, the website prompts the user to download a JioMart APK.

APK – The Android Package with the file extension apk is the file format used by the Android operating system

Figure 42 – The APK is flagged by VirusTotal as Android.Riskware.TestKey.rA, Trojan-Spy.AndroidOS.Banker and Android.PUA.DebugKey

Phishing website #1 impersonating Tata 1mg

Phishing website impersonating TATA 1 mg
Figure 43 – Screenshot of the phishing website impersonating TATA 1mg pharmacy

The website prompts the user to apply for the TATA 1mg pharmacy franchise

Phishing website prompting user to become a franchise

Figure 44 – Clicking on “Apply Here” prompts the user to enter their PII details.

Upon submitting the details on the “Apply Now” page, the user receives a “Successfully Applied” message

Phishing website #2 impersonating Tata 1mg

Phishing website-2 impersonating TATA 1 mg

Figure 45 – Screenshot of the phishing impersonating TATA 1mg

The phishing website prompts the user to apply for the TATA 1mg pharma franchise 

Phishing site of TATA 1mg requesting personal information

Figure 46 – After clicking on “APPLY NOW,” the user is prompted to enter their PII details.

Upon submitting the details, the user is greeted with a message informing that their information has been successfully added.

Safety Recommendations

  1. Purchase products directly from the official website of the brand or from recommended authorized retailers
  2. Research the seller before purchasing the product
  3. Be cautious of purchasing products from websites offering prices significantly lower than those on the official website, or offering free coupons/items.
  4. If you become a victim of cybercrime, particularly financial crime, call the national (India) cybercrime helpline 1930 or file a complaint at https://cybercrime.gov.in/ 

Conclusion

Online shopping frauds in India are on the rise. Threat actors are impersonating not only the online shopping platforms in India but also targeting business users who are interested in operating a franchise store of popular brands.

Interested to monitor your brand on the Internet?

Please send us an email to info@shreshtait.com for an early bird access to our brand monitoring product.

A few other threat intelligence blog posts that you might be interested in,

Website |  + posts