The Indian Computer Emergency Response Team (CERT-IN) under the Ministry of Electronics and Information Technology is warning Indian citizens about a new type of cyberattack that is targeting online banking.
CERT-In issued an advisory stating that attackers are using ‘Ngrok’ platform to host phishing websites that look like internet banking websites of popular banks in India.
You may get a message like “Dear customer, your xxx bank account will be suspended! Please Re KYC Verification Update click here link http://446bdf227fc4.ngrok.io/xxxbank”
The moment you click on this link to login to your internet banking account, your online banking login details and mobile number may be stolen to carry out fraud money transfers.
Once stolen, the scammer generates OTP by entering your details on the actual online banking website which gets delivered to your phone number. Now, the victim unknowingly enters the same OTP on the phishing website, thus giving away the real OTP to the scammer.
For stealing money, the SMS text may be changed to fetch OTPs in a similar way. Here are the seven types of links that you should avoid clicking.
The name of the bank is mentioned at the end of the link
A sample phishing link may look like “http:// 1a4fa3e03758. ngrok [.] io/xxxbank”. The XXX part could be the name of the bank, which is mentioned at the end. The link never starts with the name of the bank like it usually does for authentic websites.
There may be a KYC element in the link to fool users
In order to fool users into clicking the malicious link, you may get a ‘Ngrok’ link that includes the term ‘full KYC’. For example, one possible link could be http://1e2cded18ece.ngrok[.]io/xxxbank/full-kyc.php
The fake links are mostly based on HTTP protocol and not HTTPS
Most links will appear like this one: “http://1d68ab24386.ngrok[.]io/xxxbank/” and it will be based on HTTP protocol. Remember HTTPS is more secure than HTTP and all banking websites are based on HTTPS protocol.
Some Ngrok links are also based on HTTPS protocol too
Some fake links may appear like “https://05388db121b8.sa.ngrok[.]io/xxxbank/” based on HTTPS protocol. However, the name of the bank is always mentioned at the end of the link.
Most fake links will have random numbers and letters
Phishing websites will mostly have links that look like “http://1e61c47328d5.ngrok[.]io/xxxbank” or some variations of this. It’s always a mix of letters and numbers.
Fake online banking links may be shortened as well
You may receive SMS that may come with a short link. However, on clicking it, you will see the link expanding to something like this: “https://0936734b982b.ngrok[.]io/xxxbank/”. Note that this is another variant of the phishing link.
The same link may appear with a different bank name
You may get a similar link like “https://0e552ef5b876.ngrok[.]io/xxxbank/” with different bank names simultaneously.
