Phishing websites created by cybercriminals spoofed 26 Indian banks in order to steal personal information

Congress Vice President Rahul Gandhi’s Twitter account was hacked and some expletives-laden tweets were posted. A day later, Congress Party’s official Twitter account got breached.

“In either of the case I am certain there is more data in the hands of the hackers than just account access that might be released in due course of time,” said Saket Modi, co-founder of cybersecurity start-up, Lucideus Tech.

At a time when an increasing number of Indians are going digital and doing transactions online, these hacking incidents expose the country's cybersecurity vulnerabilities.

In India, there has been a surge of about 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers.

Mr. Modi of Lucideus said the hacking of the social media networks of Mr. Gandhi and Congress Party can be a potential backdoor malware being present on a computer system on which both the accounts might have been simultaneously accessed. He said this can also be a long persistent and targeted attack called 'spear phishing'. It is an e-mail spoofing fraud attempt that targets a specific organisation or individual. It seeks unauthorised access to confidential data.

Spoofing banks

Researchers in India at cybersecurity company FireEye discovered phishing websites created by cybercriminals that spoof 26 Indian banks in order to steal personal information from customers. FireEye said that it has notified the Indian Computer Emergency Response Team.

“Criminals follow the money, and as more Indians embrace online banking, criminals followed them online,” said Vishak Raman, Senior Director for India and SAARC at FireEye in a statement. He said as the digital economy grows, consumers should be aware of the risks that accompany the convenience. He said the ease of online payments opens new avenues for criminals to trick consumers into divulging their own sensitive banking information.

For instance, FireEye said that it has identified a new domain (csecurepay.com) registered in October this year, that appears to be an online payment gateway. But it is actually a phishing website that leads to the capturing of customer information from 26 banks operating in India. The company said that in this phishing attack, victims are asked to enter their account number, mobile number, email address, one-time password and other details.

Once the information is collected, the website displays a fake failed login message to the victim. The phishing site served fake logins from 26 banks, including large banks such as ICICI, HDFC and State Bank of India, according to FireEye.

Using the registration details of this domain, FireEye security researchers identified a second domain (nsecurepay.com) registered by the same attacker in August. This domain appears to be created to steal credit and debit card information including ICICI, Citibank, Visa and MasterCard and SBI debit card details. But it was observed to be producing errors at the time of discovery, according to FireEye.

Google accounts

Experts are also seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them. Israeli cyber security firm Checkpoint said that its security researchers have revealed a new variant of Android malware, breaching the security of more than one million Google accounts.

The new malware campaign, named Gooligan, roots Android devices and steals email addresses and authentication tokens stored on them. With this information, attackers can access users’ sensitive data from Gmail, Google Photos, Google Docs, Google Play and Google Drive, according to Check Point.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber- attacks,” said Michael Shaulov, Check Point’s head of mobile products in a statement.

Check Point’s Mobile Research Team first encountered Gooligan’s code in the malicious SnapPea app last year.

In August 2016, the malware reappeared with a new variant and has since infected at least 13,000 devices per day. About 40 per cent of these devices are located in Asia and about 12 per cent are in Europe.

Infected app

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack text messages.

“As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” said Adrian Ludwig, Google’s director of Android security. Google said it contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its verify Apps technology.