Phishing Campaign Targeting Mobile Users in India Using India Post Lures
2024-7-25 21:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:12 收藏

Impacted Users: iPhone users in India
Impact: Possible financial loss; stolen information can be used for future attacks
Severity Level: Medium

The FortiGuard Labs Threat Research team recently observed a number of social media posts commenting on a fraud campaign targeting India Post users. India Post is India’s government-operated postal system. It is part of the Ministry of Communications and has a vast network of over 150,000 post offices across the country, making it one of the largest postal systems in the world.

In this campaign, iPhone users are being targeted by smishing attacks claiming to be from India Post. This scam involves sending an iMessage to iPhone users that falsely claims that a package is waiting at an India Post warehouse.

Public reporting suggests this campaign is being attributed to a China-based threat actor known as the Smishing Triad. This group has previously targeted other regions, including the US, UK, EU, UAE, KSA, and, most recently, Pakistan.

We have observed third-party email addresses such as Hotmail, Gmail, or Yahoo being used in phishing emails on iMessage. Apple allows users to create an Apple ID using these third-party email addresses as the primary email associated with their Apple ID. Once the Apple ID is created and configured for iMessage, the sender can use that third-party email address to send messages through iMessage. The messages often contain a short URL, leading to a fraudulent website.

Figure 1. Smishing lures sent to users in India. Screenshots collected from social media posts.

Upon investigation, we discovered a significant number of newly registered domains being used for current and potential phishing scams. This blog highlights the tools and methods used to propagate such phishing campaigns and explores the scale of these operations, the tactics employed by threat actors, and other relevant insights.

Domain Names Impersonating India Post

Between January and July 2024, we found over 470 domain registrations mimicking India Post's official domain. Among these, 296 domains were registered via the Chinese registrar Beijing Lanhai Jiye Technology Co., Ltd., followed by 152 registrations through Namesilo, an American domain registrar. The notable concentration of registrations through a Chinese registrar certainly raises substantial concerns about the underlying intentions. This activity exemplifies a homograph phishing attack, where domain names are created to look visually similar to legitimate ones.

Figure 2. Domain Registration Frequency: June to mid-July (Dates with 4+ Registrations).

  • There was a clear spike in registrations during June and July 2024. Notable dates include:
    • 26 June 2024: 42 domains
    • 09 June 2024: 33 domains
    • 13 June 2024: 32 domains
    • 06 July 2024: 36 domains
    • 04 July 2024: 26 domains
    • 08 July 2024: 25 domains

The most frequently used top-level domains (TLDs) include 'vip' (200 registrations), 'top' (81 registrations), and 'buzz' (40 registrations). 

Figure 3. Frequency of TLDs used to register these fraudulent domain names.

The registration cost per domain varies: 'vip' TLDs typically range from USD 4 to USD 5 per domain, whereas 'top' TLDs cost between USD 1 and USD 2 per domain.

To calculate the total investment:

Figure 4. Investments made on the domain purchase.

IP Address Analysis

Our analysis revealed that Tencent, a Chinese hosting service provider, hosts a significant number of these domains (232). Additionally, Tencent hosts 16 domains registered in Santa Clara.

Figure 5. Host distribution by country/region.

Figure 6. Host distribution by hosting provider.

Further analysis revealed that 262 domain names point to the IP address 119.28.68[.]187, also hosted on Tencent's servers.

Fraudulent Website Analysis

When investigating the phishing domain 'indiapost[.]top,' which impersonates India Post through a cloned copy of the original website, it was discovered that the domain does not host any content. Instead, specific paths on the domain are utilized to host the phishing website that impersonates India Post.

Figure 7. The cloned India Post website does not host any content.

While the domain name was registered on 28th November 2023, it is now actively being used in their operations. It is now likely to evade detection by antivirus engines as domains typically gain reputation over time.

The phishing site (on the left) is an identical copy of the original India Post website (on the right).

Figure 8. The phishing site (left) is compared to the original site.

Figure 9. Phishing message

Continuing as a regular user, the fraudsters collect sensitive information such as name, full residential address, email ID, and phone number. This information can be leveraged in future operations for further scams, sending phishing emails, spreading disinformation/misinformation, or distributing malware.

Figure 10. User information collection form.

On the next page, the fraudulent site requests debit/credit card information for a payment of INR 25.02, claiming it is a charge for redelivering the package.

Figure 11. Payment information collection.

Modus-Operandi

The threat actors begin by sending a message via iMessage directly to the recipients' registered Apple ID email addresses. The sender ID could be a newly registered Apple ID or a compromised account. This method ensures that the message appears within the recipient's Messages app as an iMessage, distinct from traditional email communications, provided both parties use iMessage-enabled devices and have their Apple IDs configured for iMessage.

Recommendations to Mitigate Phishing Scams

  1. Be Sceptical of Unexpected Emails: Do not open emails from unknown senders. Be cautious with unexpected emails, especially those requesting personal information or urging immediate action.
  2. Verify URLs: Before clicking on links in emails or messages, hover over them to see the actual URL. Ensure the link points to a legitimate website by checking for common signs of phishing, such as misspelled domain names or unusual URLs.
  3. Check for HTTPS: Ensure that websites where you enter personal information use HTTPS (look for the padlock icon in the browser's address bar). However, HTTPS alone does not guarantee a site's safety.
  4. Do Not Share Personal Information: Avoid sharing sensitive information like passwords, social security or other identification numbers, and credit card or banking details via email or messaging apps.
  5. Use Strong, Unique Passwords: Create strong, unique passwords for different accounts. Consider using a password manager to generate and store complex passwords securely.
  6. Enable Multi-Factor Authentication (MFA): Enable MFA on your accounts whenever possible to add an extra layer of security.
  7. Be Cautious with Attachments: Do not open attachments from unknown or suspicious sources, as they may contain malware.
  8. Update Software Regularly: Keep your operating system, browser, and software up to date with the latest security patches.
  9. Educate Yourself: Stay informed about common phishing tactics and scams. Familiarize yourself with the latest phishing techniques and how to recognize them.
  10. Report Phishing Attempts: Report any phishing emails or messages to the relevant authorities or service providers. This can help prevent others from falling victim to the same scam.

Conclusion

The investment in registering these domain names alone exceeds USD 1500, not to mention additional costs for hosting and development. This significant investment highlights the threat actors' commitment, the phishing operation's scale, and its potential long-term impact. As a result, we feel that the likelihood of numerous victims falling prey to these scams is increased, leading to substantial financial losses, data breaches, and other security issues for individuals and organizations targeted by these domains.

This operation may also serve as a strategic initiative to raise funds to fuel operations in China. Because of this, awareness and proactive measures are crucial to mitigating the risks posed by these phishing activities.

Fortinet Protections

The suspicious domains used in the campaign described in this report are detected and blocked by FortiGuard URL Filtering Service, utilized by FortiGate, FortiClient, and FortiMail, as:

WebFilter:Phishing

WebFilter:Spam URLs

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE trainingNSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Sender Email Address

italenbabusik@hotmail[.]com
jessica467@qlq-online[.]de
marrotte436915@gmail[.]com
orozcoharryavw@hotmail[.]com
chermonahscales2980545@gmail[.]com

Domain Names

indiapost[.]xyz

indiapost[.]online

indiapost[.]live

indiapost[.]biz

indiapost[.]club

indiapost[.]pics

indiapost[.]homes

indiapost[.]click

indiapost[.]vip

indiapost[.]buzz

indiapost[.]sbs

indiapost[.]skin

indiapost[.]world

indiapost[.]cfd

indiapost[.]cyou

indiapost[.]rest

indiapost[.]site

indiapost[.]mom

indiapost[.]lat

indiapost[.]lol

indiapost[.]digital

indiapostal[.]com

indiapostdaily[.]com

indiapostin[.]com

indiaposte[.]com

indiapostgdsonline[.]in

indiapostcode[.]online

indiapostalgds[.]com

indiapostofficejob[.]org

indiapostal[.]xyz

indiapostrecruitment2021[.]xyz

indiapostpayment[.]in

indiapostfast[.]com

indiapost-in[.]xyz

indiapostin[.]top

indiapostusa[.]xyz

indiapostn[.]top

indiapostgovv[.]top

indiapostt[.]top

indiapostgov[.]info

indiapostgdsonline[.]ink

indiaposte[.]top

indiaposthuman[.]com

indiaposti[.]icu

indiapostgov[.]org

indiapostalcode[.]org

indiapostpogo[.]top

indiapostgk[.]sbs

indiapostij[.]top

indiapostscv[.]top

indiaposthy[.]top

indiapostpv[.]top

indiapostjx[.]top

indiapostco[.]top

indiapostcw[.]top

indiapostkp[.]sbs

indiapostkp[.]buzz

indiapostbov[.]top

indiapostnov[.]buzz

indiapostgk[.]buzz

indiapostscv[.]buzz

indiapostsfv[.]buzz

indiapostscv[.]sbs

indiapostsfv[.]top

indiapostfb[.]top

indiapostwb[.]top

indiapostxh[.]top

indiapostyt[.]top

indiapostgk[.]lol

indiapostgv[.]lol

indiapostbov[.]sbs

indiapostnov[.]sbs

indiapostkp[.]top

indiapostlf[.]top

indiapostbs[.]top

indiapostbw[.]top

indiapostcu[.]top

indiapostem[.]top

indiapostgl[.]top

indiaposthk[.]top

indiapostjd[.]top

indiapostkg[.]top

indiapostmc[.]top

indiapostmr[.]top

indiapostnj[.]top

indiapostnn[.]top

indiapostsc[.]top

indiapostsy[.]top

indiapostwy[.]top

indiapostxf[.]top

indiapostsx[.]buzz

indiapostdgx[.]buzz

indiapostsdu[.]buzz

indiapostdes[.]buzz

indiapostsx[.]icu

indiapostdu[.]icu

indiapostsdu[.]top

indiapostcg[.]buzz

indiapostgc[.]buzz

indiapostnews[.]buzz

indiaposttc[.]buzz

indiapostdgx[.]lat

indiapostvg[.]buzz

indiapostcg[.]life

indiapostvg[.]sbs

indiapostbs[.]sbs

indiapostvg[.]xyz

indiapostjsx[.]xyz

indiapostdm[.]buzz

indiapostbm[.]buzz

indiapostjsx[.]buzz

indiapostdgx[.]cfd

indiapostsx[.]cfd

indiapostgx[.]cfd

indiapostdgx[.]sbs

indiapostdm[.]sbs

indiapostjsx[.]sbs

indiapostsx[.]sbs

indiapostbm[.]top

indiapostsx[.]xyz

indiapostbm[.]xyz

indiapostdgx[.]xyz

indiapostdm[.]xyz

indiapostlv[.]top

indiapostmk[.]top

indiapostil[.]top

indiapostdgx[.]top

indiapostkr[.]top

indiapostlt[.]top

indiapostgx[.]lat

indiapostigu[.]xyz

indiapostgx[.]world

indiapostok[.]top

indiapostrc[.]top

indiapostah[.]top

indiapostfw[.]top

indiapostwl[.]top

indiapostwm[.]top

indiapostci[.]top

indiapostdq[.]top

indiapostjp[.]top

indiapostmj[.]top

indiapostnx[.]top

indiapostos[.]top

indiapostpy[.]top

indiapostqr[.]top

indiapostrq[.]top

indiapostub[.]top

indiapostwg[.]top

indiapostyb[.]top

indiapostyw[.]top

indiapostzc[.]top

indiapostzp[.]top

indiapostsz[.]buzz

indiapostzj[.]buzz

indiapostgz[.]cfd

indiaposteg[.]sbs

indiapostsz[.]top

indiaposteg[.]xyz

indiapostges[.]xyz

indiapostsz[.]xyz

indiapostrg[.]xyz

indiapostsge[.]xyz

indiapostzj[.]xyz

indiapostbg[.]vip

indiapostrg[.]vip

indiapostfd[.]vip

indiaposthk[.]vip

indiapostiw[.]vip

indiapostfv[.]vip

indiapostnz[.]vip

indiapostfw[.]vip

indiapostfj[.]vip

indiapostux[.]vip

indiapostox[.]vip

indiapostdx[.]vip

indiapostwe[.]vip

indiapostwp[.]vip

indiapostdt[.]vip

indiapostpm[.]vip

indiapostkx[.]vip

indiapostpo[.]vip

indiapostmr[.]vip

indiapostym[.]vip

indiapostmu[.]vip

indiapostbl[.]vip

indiapostjl[.]vip

indiapostei[.]vip

indiapostul[.]vip

indiapostax[.]vip

indiapostny[.]vip

indiapostxt[.]vip

indiapostik[.]vip

indiapostir[.]vip

indiapostns[.]vip

indiapostqb[.]vip

indiapost-update[.]com

indiapostqq[.]vip

indiapostdo[.]vip

indiapostes[.]vip

indiapostcp[.]vip

indiapostfs[.]vip

indiapost-updatemypost[.]com

indiapost-trackmypost[.]com

indiapostub[.]vip

indiapostag[.]vip

indiapostam[.]vip

indiapostej[.]vip

indiapostgt[.]vip

indiapostgw[.]vip

indiaposthn[.]vip

indiapostlg[.]vip

indiapostvb[.]vip

indiapostxz[.]vip

indiapostjo[.]vip

indiapostne[.]vip

indiapostps[.]vip

indiapostby[.]vip

indiapostoc[.]vip

indiaposthd[.]vip

indiapostxr[.]vip

indiapostqw[.]vip

indiapostmt[.]vip

indiapostaz[.]vip

indiapostvx[.]vip

indiapostwq[.]vip

indiapostuf[.]vip

indiapostgi[.]vip

indiapostjq[.]vip

indiapostph[.]vip

indiapostmz[.]vip

indiapostdv[.]vip

indiapostoi[.]vip

indiapostrc[.]vip

indiaposttg[.]vip

indiapostbz[.]vip

indiapostnt[.]vip

indiapostek[.]vip

indiapostld[.]vip

indiaposttx[.]vip

indiapostzv[.]vip

indiapostjk[.]vip

indiapostagov[.]icu

indiapostusa[.]cfd

indiapostwc[.]vip

indiapostht[.]vip

indiapostxf[.]vip

indiapostib[.]vip

indiapostgu[.]vip

indiapostpq[.]vip

indiaposteo[.]vip

indiapostap[.]vip

indiapostdf[.]vip

indiapostjx[.]vip

indiapostky[.]vip

indiapostlj[.]vip

indiapostmn[.]vip

indiapostnr[.]vip

indiapostqr[.]vip

indiapostvg[.]vip

indiapostzc[.]vip

indiapost-trackpost[.]com

indiapost-updatemyparcel[.]com

indiapostusa[.]buzz

indiapost-checkmypost[.]com

indiapost-checkmymail[.]com

indiaposte[.]buzz

indiaposte[.]icu

indiapostusa[.]icu

indiapostlw[.]sbs

indiapostgui[.]sbs

indiapostigu[.]sbs

indiapostgui[.]xyz

indiapostdw[.]xyz

indiaposte[.]xyz

indiapostlw[.]xyz

indiapostzd[.]vip

indiaposteg[.]vip

indiapostbv[.]vip

indiapostur[.]vip

indiapostiv[.]vip

indiapostdd[.]vip

indiapostqh[.]vip

indiapostwg[.]vip

indiapostsil[.]cyou

indiapostru[.]vip

indiapostbm[.]vip

indiapostwh[.]vip

indiapostmk[.]vip

indiapostol[.]vip

indiapostqs[.]vip

indiapostlt[.]vip

indiapostdw[.]top

indiapostlw[.]top

indiapostfr[.]vip

indiapostbe[.]vip

indiapostbs[.]vip

indiapostcs[.]vip

indiapostfn[.]vip

indiapostfy[.]vip

indiapostjd[.]vip

indiapostjf[.]vip

indiapostkm[.]vip

indiapostkq[.]vip

indiaposton[.]vip

indiapostpj[.]vip

indiapostpy[.]vip

indiapostse[.]vip

indiapostsq[.]vip

indiapostss[.]vip

indiapostvd[.]vip

indiapostvy[.]vip

indiapostxw[.]vip

indiapostyr[.]vip

indiapostsp[.]vip

indiapostha[.]vip

indiapostog[.]vip

indiapostqf[.]vip

indiapostut[.]vip

indiapostwk[.]vip

indiapostin[.]sbs

indiapostin[.]xyz

indiapostin[.]live

indiapostsa[.]buzz

indiaposta[.]buzz

indiapostdw[.]buzz

indiapostgv[.]buzz

indiapostoffice[.]buzz

indiaposts[.]buzz

indiapostzh[.]buzz

indiaposta[.]mom

indiaposts[.]mom

indiapostsa[.]mom

indiapostzh[.]sbs

indiaposta[.]xyz

indiapostgv[.]xyz

indiapostks[.]buzz

indiapostgov[.]xyz

indiapostgo[.]buzz

indiapostgo[.]life

indiapostgo[.]mom

indiapostgds[.]org

indiapostgo[.]xyz

indiapostsge[.]cfd

indiapostgv[.]cfd

indiapostcp[.]buzz

indiapostblog[.]buzz

indiapostges[.]buzz

indiapostsge[.]buzz

indiapostsv[.]buzz

indiapostoffice[.]hair

indiapost-gov[.]life

indiapostoffice[.]life

indiapostgv[.]sbs

indiaposty[.]xyz

indiapostgy[.]vip

indiapost-vip-in[.]buzz

indiapostggs[.]cfd

indiapostbs[.]cfd

indiapostcp[.]sbs

indiapostggs[.]sbs

indiapost-i[.]com

indiapostyxw[.]buzz

indiapostgov[.]top

indiaposti[.]com

indiapost-gov[.]com

indiapost-tel[.]com

indiapost-in[.]com

indiapost-gov[.]icu

indiapost-in[.]net

indiapost-postain[.]top

indiapostiu[.]vip

indiapost-indi[.]top

indiaposttel[.]com

indiapost1[.]com

indiapost-i[.]net

indiaposty[.]sbs

indiapost-i[.]top

indiapostoffice[.]top

indiapost-ind[.]top

indiapostaq[.]vip

indiapostew[.]vip

indiapostgf[.]vip

indiapostlk[.]vip

indiapostaw[.]vip

indiapostds[.]vip

indiaposter[.]vip

indiapostjh[.]vip

indiapostmf[.]vip

indiapostnm[.]vip

indiapostoj[.]vip

indiapostop[.]vip

indiapostqv[.]vip

indiapostrl[.]vip

indiaposttn[.]vip

indiapostty[.]vip

indiapostui[.]vip

indiapostxc[.]vip

indiapostxp[.]vip

indiapostkz[.]vip

indiapostq[.]xyz

indiapostw[.]xyz

indiaposta-in[.]top

indiapost-gov-a[.]buzz

indiapost-gov-in[.]buzz

indiaposte[.]sbs

indiapost-posta[.]top

indiapostoffices[.]top

indiapostgm[.]vip

indiapostmh[.]vip

indiapostbx[.]vip

indiapostcb[.]vip

indiapostjt[.]vip

indiapostks[.]vip

indiapostnh[.]vip

indiapostnw[.]vip

indiapostpt[.]vip

indiapostrf[.]vip

indiaposttj[.]vip

indiapostwv[.]vip

indiapostyx[.]vip

indiapostyz[.]vip

indiapostgx[.]vip

indiapostpd[.]vip

indiapostsl[.]vip

indiapostvu[.]vip

indiapostzy[.]vip

indiapostvt[.]vip

indiapostim[.]vip

indiapostxn[.]vip

indiapostqi[.]vip

indiapostbj[.]vip

indiapostyt[.]vip

indiapostdk[.]vip

indiapostnews[.]top

indiapost-al[.]com

indiaposty[.]cfd

indiapostid[.]vip

indiapost-ia[.]top

indiapostk[.]com

indiapost-gov-i[.]com

indiapost-l[.]com

indiapost-p[.]com

indiaposta[.]com

indiaposth[.]com

indiapostl[.]com

indiapostt[.]com

indiapostos[.]com

indiapostall[.]com

indiapost-l[.]net

indiapostgroup[.]net

indiapostos[.]net

indiapostkl[.]vip

indiapostoffice[.]one

indiapostpi[.]vip

indiapostqo[.]vip

indiapostyl[.]vip

indiapostto[.]vip

indiapostwf[.]vip

indiapostnc[.]vip

indiapostvm[.]vip

indiaposttb[.]vip

indiapostal[.]top

indiapostao[.]vip

indiapostit[.]vip

indiapostec[.]vip

indiapostsf[.]vip

indiapostzu[.]vip

indiapostic[.]vip

indiapostix[.]vip

indiapostil[.]vip

indiapost-telgov[.]com

indiapostos-in[.]com

indiapost-h[.]com

indiand[.]xyz/track/

dsfdg[.]sbs/i/

indiapostsi[.]top/IN/

indiapostin[.]com/in/

indiapost-id[.]top/BRblTi/

indiapost-i[.]net/in/

indiaapost[.]cyou/track/

indiaptgov[.]top/in/

indaai[.]live/track/

indiapost-al[.]com/in/


文章来源: https://feeds.fortinet.com/~/901765292/0/fortinet/blog/threat-research~Phishing-Campaign-Targeting-Mobile-Users-in-India-Using-India-Post-Lures
如有侵权请联系:admin#unsafe.sh