This post was originally published on this site

ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

FireEye Labs recently discovered a malicious phishing domain designed
to steal a variety of information – including credentials and mobile
numbers – from customers of several banks in India. Currently, we have
not observed this domain being used in any campaigns. The phishing
websites appear to be in the earlier stages of development and through
this post we hope users will be able to identify these types of
emerging threats in the future.

FireEye phishing
detection technology
identified a newly registered domain,
“csecurepay[.]com”, that was registered on Oct. 23, 2016. The website
purports to offer online payment gateway services, but is actually a
phishing website that leads to the capturing of victim logon
credentials – and other information – for multiple banks operating in India.

Prior to publication, FireEye notified the Indian Computer Emergency
Response Team.

Phishing Template Presentation and Techniques

Step 1

URL: hxxp://csecurepay[.]com/load-cash-step2.aspx

When navigating to the URL, the domain appears to be a payment
gateway and requests that the user enter their bank account number and
the amount to be transferred, as seen in Figure 1. The victim is
allowed to choose their bank from a list that is provided.

Figure 1: Bank information being requested

By looking at the list, it is clear that only Indian banks are being
targeted at this time. A total of 26 banks are available and these are
named in the Appendix.

Step 2

URL:  hxxp://csecurepay[.]com/PaymentConfirmation.aspx

The next website requests the victim to enter their valid 10-digit
mobile number and email ID (Figure 2), which makes the website appear
more legitimate.

Figure 2: Personal information being requested

Step 3

The victim will then be redirected to the spoofed online banking
page of the bank they selected, which requests that they log in using
their user name and password. Figure 3 shows a fake login page for
State Bank of India. See the Appendix for more banks that have spoofed
login pages.

Figure 3: Fake login page for State Bank of India

After entering their login credentials, the victim will be asked to
key in their One Time Password (OTP), as seen in Figure 4.

Figure 4: OTP being requested

Step 4

URL: hxxp://csecurepay[.]com/Final.aspx

Once all of the sensitive data is gathered, a fake failed login
message will be displayed to the victim, as seen in Figure 5.

Figure 5: Fake error message being displayed

Credit and Debit Card Phishing Website

Using the registrant information from the csecurepay domain, we
found another domain registered by the phisher as “nsecurepay[.]com”.
The domain, registered in latest August 2016, aims to steal credit and
debit card information.

The following are among the list of cards that are targeted:

1.     ICICI Credit Card

2.     ICICI Debit Card

3.     Visa/Master Credit Card

4.     Visa/Master Debit Card

5.     SBI Debit Card Only

At the time of this writing, the nsecurepay website was producing
errors when redirecting to spoofed credit and debit card pages. Figure
6 shows the front end.

Figure 6: Nsecurepay front end

Conclusion

Phishing has its own development lifecycle. It usually starts off
with building the tools and developing the “hooks” for luring victims
into providing their financial information. Once the phishing website
(or websites) is fully operational, we typically begin to see a wave
of phishing emails pointing to it.

In this case, we see that phishing websites have been crafted to
spoof multiple banks in India. These attackers can potentially grab
sensitive online banking information and other personal data, and even
provided support for multifactor authentication and OTP. Moreover,
disguising the initial presentation to appear as an online payment
gateway service makes the phishing attack seem more legitimate.

FireEye Labs detects this phishing attack and customers will be
protected against the usage of these sites in possible future campaigns.

Appendix

Fake login pages were served for 26 banks. The following is a list
of some of the banks:

-Bank of Baroda – Corporate

-Bank of Baroda – Retail

-Bank of Maharashtra

-HDFC Bank

Figure 7: HDFC Bank fake login page

-ICICI Bank

-IDBI Bank

-Indian Bank

-IndusInd Bank

-Jammu and Kashmir Bank

-Kotak Bank

-Lakshmi Vilas Bank – Corporate

-Lakshmi Vilas Bank – Retail

-State Bank of Hyderabad

-State Bank of India

-State Bank of Jaipur

-State Bank of Mysore

-State Bank of Patiala

-State Bank of Bikaner

-State Bank of Travancore

-Tamilnad Mercantile Bank

-United Bank of India

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.