A Little Smishing Tale
01 Jan 2024 (589 Words, 4 Minutes)
Smishing is on rise, and I was lucky last year I got one of them myself. Let’s have a look into their cute little malicious SMS.
SMS - Impersonating SBI Bank
Phone Number: +91 9449243762, Link: https://bitly.ws/34eSw
Investigating further: TrueCaller for the phone number and VirusTotal for the bitly link.
It’s likely that this phone number is also involved in vishing attacks. Luring the potential victims into the sense of urgency and fear for recovering their bank accounts via updating their sensitive details.
VirusTotal flags the bitly link, but not the vercel.app deployment. Check here.
There’s something religious about these Phishing and Smishing scams, it’s mistyped most of the time.
Meanwhile, YONO (You Only Need One) SBI is an all-in-one digital banking platform by State Bank of India (SBI). It’s a comprehensive app for Android and iOS that allows users to access a variety of financial services along with lifestyle-related offerings like booking travel and shopping online.
As you can see, the scammers are possessive in their approach, they don’t want your credentials to fall into other’s hand but theirs.
I entered random numbers in their fields, and it just worked. They are hungry for the victim’s credential. Point to note: Captcha was static as well, same across several page reloads. And the OTP could be just anything, it accepted 4-6 digits random number.
At this point the victim has given their full name and their father’s full name, date of birth, PAN Number, last 4 digits of their bank account number and Aadhar number. That’s a lot of sensitive PII data. There’s a high possibility of financial fraud - where the scammer would issue loans on behalf of the victim, without them knowing about it.
Now it required one-time-password, I tried to bruteforce it, but it didn’t work out, it halted here and the timer would run out.
Tips for Identification :
Never ever click shortened link which comes from unknown senders, especially those impersonating entities like banks.
Investigate the phone number via services like TrueCaller, and Investigate the URL via platforms like VirusTotal. Check what the final URL is, how many redirects are there, etc. Remember point 1, banks will never send you SMS to update your sensitive PII data for your bank account.
Only login to your bank account via the official login portal, for instance: SBI’s login portal lies here. And only update or change any settings or preference via the authenticated session on that official portal only. Avoid altering PII via the bank’s app as well, for extra precautions.
Be vigilant, contact the bank’s customer care to further inquire about the SMS/emails.
Tips for recovery :
Let’s say that you fell victim of such SMS. Here’s some important points to consider -
Realize that attackers can’t unsee your PII data, and changing Aadhar and PAN number is beyond the scope of human endeavour.
Make sure to change the password for the bank accounts and avoid password re-use at all costs.
Monitor the issued loans on your behalf, inform the respective banks about the incident, attach the URL and phone number associated with the scam, in the complaint email. Report it all as soon as possible.
To remain on the safe side, gain consultancy on good legal advice regarding the incident and lodge an FIR.
My Personal Comments
There are several red flags throughout the workflow of this specific Smishing attack. But for an untrained eye, it could be very convincing, the choice of colors, box fields on the webpage, fonts, banner, and especially the way it moved ahead to the next page after receiving the user input was pretty realistic. Elderly people or the first time net banking users might fall into this trap.
Anyways, this is all from me as of now. I tried to keep it crisp and concise. I wish you Happy New Year! May this year be full of prosperity and success.Thanks for spending your time and giving it a read.