BackState Bank of India customers targeted by text phishing scam
A tag found in the source code redirects users to a WordPress website, indicating that the website was built with WordPress, and the WordPress theme in use is Sinatra, a lightweight and highly customizable multipurpose theme
PremiumSuspicious messages requesting State Bank of India (SBI) customers to redeem their SBI credit points worth Rs9,870 have recently been making rounds, according to New Delhi-based CyberPeace Foundation, a cybersecurity think tank.
The link associated with the text message redirects the user to a fake website, and on the landing page, the customer is asked to submit personal and financial information such as name, registered mobile number, e-mail, date of birth, card number, expiry date, CVV and MPIN in a ‘State Bank of India Fill Your Details’ form.
The domain name of the website can be traced to India, and the registrant state was Tamil Nadu, as per the CyberPeace Foundation report.
According to the CyberPeace Foundation along with Autobot Infosec Private Ltd report, "The fake site collects data directly without any verification and is registered by a third party instead of having the registrant organization name of State Bank of India, making it all the more suspicious. Moreover, according to SBI, they never communicate with their customers via SMS or emails containing links about the user’s account. Any reputed banking entity also does not use WordPress like CMS technologies on its official website for security reasons.
In a source code analysis, the title name of the site was discovered to be ‘Home-Earn Redeem Points’. A tag found in the source code redirects users to a WordPress website, indicating that the website was built with WordPress, and the WordPress theme in use is Sinatra, a lightweight and highly customizable multipurpose theme. The WordPress administrative login page of the site was also found by visiting the fake website, the CyberPeace Foundation report said.
It was also observed that the form takes user's inputs without performing a basic validation of data type. For example, the registered mobile number field, which should only accept numerical values also accepts text input. Moreover, the card number field accepts an infinite number of digits instead of only sixteen digits, which SBI cards usually have.
The email password field shows the entered password in clear text instead of keeping the characters hidden, making it all the more suspicious.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!
