Phishing campaigns targeting banking and financial institutions have always been in the news. Specifically in India, scammers are always evolving with new ways to steal banking information, including credit/debit card information and personally identifiable information (PII).
Sometimes, scammers use freemium services to host phishing sites. Alternatively, they may register domains using common keywords to avoid detection. In a recent ongoing campaign, the Bolster Research Team has discovered a campaign targeting Axis Bank and their credit card reward points services.
Due to the enabled directory listing in one of the phishing sites, we were able to obtain the phishing kit used in this campaign. Let’s dive into the details, and help your business better identify potential phishing campaigns down the road by learning from Axis Bank.
The Phishing Campaign Targeting Axis Bank
The rewards point phishing campaign is not limited to Axis Bank, but also is targeting other famous banking players in India.
In this campaign, domains were created with the keywords “onlinecardservice” and “cardsserviceonline” to avoid alerts from detection engines based on brand names.
Our real-time URL scanner CheckPhish has identified two domains as part of the phishing campaign. One was registered 17 days ago, and another was written 7 months ago. Interestingly, one of the domain registrar’s details, like name, location, email, and phone number, were leaked in the whois record [likely the actor with fake details].
Analysis of an Associate Phishing Website
The impersonated website is created to steal the victim’s banking information (credit card number, CVV) and PIIs in three simple steps:
1. Once victims click on any of the options on the phishing site, it redirects them to the fake “Reward Point Online Application,” asking them to fill in PII, including their Name, Date of Birth, Email ID, Mobile No.
2. Once submitted successfully, it takes the victim to another fake form. Then it asks for banking details.
3. In the last step, it asks for the OTP to submit.
Analysis of the Phishing Kit
Due to misconfiguration in one of the identified phishing sites, the actor left the directory listing enabled, which led us to discover the phishing kit used in this campaign. This mostly happens due to a lack of technical knowledge or laziness among phishing campaign operators.
Inside the phishing kit
Upon analyzing, we found this phishing kit is created with HTML, CSS, and JS PHP & MySQL.
There are no further evasion techniques associated with it. Still, interestingly, while investigating, we have uncovered that the phishing kit can likely be used to target SBI Bank’s reward campaign as well, based on the comments in the code files.
Most notably, in this phishing kit, the server code of the C2 server code was found inside the phishing kit’s directory, along with hardcoded MySQL DB credentials and configurations.
Potential Victims of the Phishing Campaign Targeting Axis Bank
After the analysis of the server code, we found a hard-coded credential of DB, and based on the structure, we tried to hunt down the C2 server, which is present on this URL: hxxps://onlinecardservice[.]com/axisbank/1/index.php
The login portal was configured with default credentials, which is obvious from the actor’s technical understanding. Upon analyzing the data exposed from the phishing site’s server, it appears that most information entered was random.
However, some of the information may be valid.
Conclusion: Protecting Your Business and Your Customers
These types of campaigns are not unusual, but they demonstrate how scammers from India are continuously improving their tactics. They’ve gone from cloning websites to creating custom phishing kits for their classic phishing campaigns. It’s clear that their skills are growing, and we can expect to see more of these kinds of tactics from them in the future.
Hacking techniques around the world are evolving to outsmart some of the more common anti-phishing tactics. As hackers become more reliant on AI-backed hacking solutions, it’s important for businesses to utilize AI-Security solutions to effectively identify and takedown phishing sites at scale.
To see how Bolster’s trained LLM’s can protect your business from phishing attacks spun up around the world, request a demo with us today.
