Home / Companies / News /  State Bank of India customers targeted by text phishing scam

State Bank of India customers targeted by text phishing scam

Social networking sites remained the most popular phishing targets, email services were second and financial and e-pay organizations came third, said the report.  Premium
Social networking sites remained the most popular phishing targets, email services were second and financial and e-pay organizations came third, said the report.

  • A tag found in the source code redirects users to a WordPress website, indicating that the website was built with WordPress, and the WordPress theme in use is Sinatra, a lightweight and highly customizable multipurpose theme

Suspicious messages requesting State Bank of India (SBI) customers to redeem their SBI credit points worth Rs9,870 have recently been making rounds, according to New Delhi-based CyberPeace Foundation, a cybersecurity think tank.

The link associated with the text message redirects the user to a fake website, and on the landing page, the customer is asked to submit personal and financial information such as name, registered mobile number, e-mail, date of birth, card number, expiry date, CVV and MPIN in a ‘State Bank of India Fill Your Details’ form.

The domain name of the website can be traced to India, and the registrant state was Tamil Nadu, as per the CyberPeace Foundation report.

According to the CyberPeace Foundation along with Autobot Infosec Private Ltd report, "The fake site collects data directly without any verification and is registered by a third party instead of having the registrant organization name of State Bank of India, making it all the more suspicious. Moreover, according to SBI, they never communicate with their customers via SMS or emails containing links about the user’s account. Any reputed banking entity also does not use WordPress like CMS technologies on its official website for security reasons.

In a source code analysis, the title name of the site was discovered to be ‘Home-Earn Redeem Points’. A tag found in the source code redirects users to a WordPress website, indicating that the website was built with WordPress, and the WordPress theme in use is Sinatra, a lightweight and highly customizable multipurpose theme. The WordPress administrative login page of the site was also found by visiting the fake website, the CyberPeace Foundation report said.

It was also observed that the form takes user's inputs without performing a basic validation of data type. For example, the registered mobile number field, which should only accept numerical values also accepts text input. Moreover, the card number field accepts an infinite number of digits instead of only sixteen digits, which SBI cards usually have.

The email password field shows the entered password in clear text instead of keeping the characters hidden, making it all the more suspicious.

ABOUT THE AUTHOR

Navneet Dubey

Navneet Dubey is a personal finance writer and artist. Over the past decade, he has written feature stories on insurance, financial planning, lending and borrowing.
Catch all the Corporate news and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
More Less

Recommended For You

Trending Stocks

×
Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout