On Thursday, cyber-security experts announced the discovery of an "unprecedented, sophisticated" phishing method that has been extorting people from official websites worldwide, including the Indian government's portal https://india.gov.in.
According to AI-driven cyber-security startup CloudSEK, threat actors have been targeting the Indian government's webpage by using a fake URL to deceive users into entering sensitive information such as credit card numbers, expiration months, and CVV codes.
In a most advanced phishing technique known as Browser-in-the-Browser (BitB) attack, hackers imitate the browser window of the Indian government website, most typically SSO (single sign-on) pages, with a unique login.
BitB attacks impersonate reputable websites in order to steal user passwords and other sensitive data such as personally identifying information (PII).
The new URL that emerges as a result of the BitB attack looks to be legitimate.
"The bad actors have also replicated the original page's user interface. Once their victims click into the phishing page, a pop-up appears on the phoney window claiming that their systems have been blocked, posing as a notification from the Home Affairs Enforcement and Police," the researchers asserted.
The users are then alerted that their excessive usage of pornographic websites is banned under Indian law, and they are asked to pay a Rs 30,000 fee in order to unlock their computers.
"They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound," the researchers stated.
The information entered by the victims into the form is sent to the attacker's server.
Once the attackers have obtained the card information, it may be sold to other purchasers in a bigger network of cyber criminals, or the victim may be extorted for more funds.
When users attempt to connect to a website, they may click on a malicious link that appears as an SSO login pop-up window.
Users are requested to check in to the website using their SSO credentials when they visit the provided URL. The victims are then sent to a fraudulent webpage that appears just like the SSO page.
The attack often triggers single sign-on windows and presents bogus web pages that are identical to the legitimate page.
"Combine SSO with MFA (multi-factor authentication) for secure login across accounts, check for suspicious logins and account takeovers and avoid clicking on email links from unknown sources," the researchers suggested.