The latest report from Cyble Research and Intelligence Labs (CRIL) revealed that scammers are targeting Indian residents who submit complaints on social media accounts belonging to various local firms.
Fraudsters keep an eye out on Twitter and other social media sites for customers asking for reimbursements for problems they may have had with services offered by businesses like the Indian Railway Catering and Tourism Corporation.
Researchers claim that once fraudsters discover a victim's contact details, they would start a scam.
"When users report complaints on social media, scammers take advantage of the opportunity to carry out phishing attacks by asking them to download malicious files to file their complaints and steal their funds from bank accounts," CRIL stated.
Users of other popular Indian brands and organisations, including e-commerce platform Flipkart, payment service provider MobiKwik, budget airline Spicejet, and various banks, were targeted in addition to the IRCTC.
In one case, after posting a complaint on the IRCTC's Twitter account, a user was contacted by someone impersonating an IRCTC customer service representative. While the user in this case refused to provide their information to the scammer, CRIL stated that fraudsters would use a variety of techniques to defraud victims.
Scammers, for example, may attempt to link a victim's mobile number or account via the Unified Payments Interface (UPI), send a Google form to collect sensitive information or forward a WhatsApp link to a malicious website.
"Scammers have been using Android malware in addition to other fraudulent tactics. They may send a phishing link that downloads a malicious APK file to infect the device, or they may send the malicious file via WhatsApp," the researchers added.
Fraudsters, according to the researchers, use malicious APK files with names like "IRCTC customer.apk," "online complaint.apk," or "complaint register.apk" to trick victims into revealing their banking credentials.
They also want the victim's UPI details, credit/debit card information, and one-time passwords used for two-factor authentication.
CRIL discovered one such phishing website that asked victims to enter basic information such as their name, mobile number, and complaint query before prompting them to enter sensitive banking information. It also requested the victim to install a malicious application that would allow it to steal incoming text messages from the infected device.
According to CRIL, the scheme was perpetrated by "a group of financially motivated scammers" based in India. While it was first observed in late 2020, researchers say it has only recently begun targeting social media complaints to identify potential victims.
"It is critical that users are aware of these scams and exercise caution when providing personal information or downloading files online," CRIL warned.