🚀 لقد رفعت CloudSek جولة B1 من السلسلة B1 بقيمة 19 مليون دولار - تعزيز مستقبل الأمن السيبراني التنبؤي
Adversary Intelligence
9
mins read

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Abhishek Mathew
June 26, 2024
Green Alert
Last Update posted on
July 16, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Anirudh Batra
Coauthors image
Anshuman Das
Coauthors image
Naren Thota

Category: Adversary Intelligence

Industry: BFSI

Motivation:Financial

Region: India

Source*

B - Usually Reliable 

2 - Possibly true

Executive Summary

This is an ongoing report and we will keep on updating as we have more information

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

In the last year we have observed that hacktivist groups have the following techniques that they generally use:

  1. DDOS attacks - They use free tools and scripts sourced from github to attack their targets
  2. Breached Credentials - Hacktvist groups have realized that freely available credentials give them much more visibility. We have observed that groups have utilized customer credentials as well to garner attention
  3. .git/.svn/.env - Some threat actors have started scanning for these aforementioned endpoints to get environment variables or code repository which has been shipped to prod environment by mistake

Geopolitical Attacks

The ongoing Israel-Palestine conflict has fueled the activities of hacktivist groups, who have targeted Indian banks due to perceived political stances. The attacks have primarily focused on Distributed Denial of Service (DDoS) attacks aiming to disrupt online banking services and websites.

Screenshot of a poll conducted by one of the hacktivist groups 

Timeline of  Attacks on Indian Banks/Insurance firms:

  • February 21: Lulsezsec Indonesia claims to start targeting Indian banks.
  • June 6: A hacktivist group claims to have compromised a major Indian bank, however, the claim was later debunked as the target was an unrelated service.
  • June 7: The RADNET  group claims a DDoS attack against a indian  Bank

Screenshot of the attacks conducted by a hacktivist group

  • June 11: Multiple banks suffer DDoS attacks from the same RADNET hacktivist group.
  • June 21: Rippersec targets claims to target an Indian bank with a DDoS attack.
  • June 22: “Infamous” targeted an Indian headquartered Insurance firm and dumped PII data of ~150k customers
Screenshot of the forum posts made by a threat actor 

  • June 23: An Indian Wallet application/subscription management service was breached by a TA called  “billy100” ~110k customer PII details were dumped
  • June 23: Sulawesi Indonesia carries out a DDoS attack against another Indian Bank.
Screenshot of hacktivist groups targeting indian banks 
Screenshot of hacktivist groups targeting indian banks 


Screenshot of hacktivist groups targeting indian banks 

Please Note - Hacktivist groups are notorious for making claims to create chaos, at the time of writing this report most of these claims have been debunked and there was no spike noticed by the said banks/targeted banks. This happens because of the attention that they get in the pursuit of making these lofty claims.

Recommendations : 

  • DDoS Mitigation: Invest in DDoS protection services and implement effective mitigation strategies to minimize the impact of attacks. This includes:
  • Cloud-based DDoS protection: Utilize cloud-based solutions to distribute traffic and absorb attacks.
  • Traffic filtering: Implement firewalls and other security measures to filter malicious traffic and prevent it from reaching critical servers.
  • Rate limiting: Set limits on the number of requests allowed from individual IP addresses or specific locations to prevent excessive traffic.
  • Network optimization: Optimize network infrastructure for performance and resilience, ensuring quick recovery from DDoS attacks.

Credential Stealers and Social Media Takeovers

In recent weeks, there has been a rise in attacks where hackers hijack social media accounts of major Indian banks, primarily Twitter, and use them to promote cryptocurrency scams. Hackers employ various techniques to acquire these accounts, including:

Screenshot of another Indian Bank’s twitter account taken of by threat actors 

  • Credential stealers: Malicious software that steals usernames, passwords, and other sensitive data.
  • Underground forums: Online marketplaces where stolen account credentials are bought and sold.

Screenshot of a threat actor selling compromised  twitter accounts for crypto scams 

Once control is gained, the compromised accounts spread links to fraudulent crypto websites and "crypto drainers," malicious tools designed to steal cryptocurrencies from unsuspecting users. The scams often leverage the popularity of Elon Musk and other prominent figures to gain trust.

Screenshot of a underground marketplace selling twitter accounts 

Recomendations for Banks:

  • Enhanced security: Implement robust security measures to protect online banking platforms and social media accounts from DDoS attacks and credential theft. This includes multi-factor authentication (MFA), strong password policies, and regular security audits.
  • Social media security: Implement strong authentication protocols and monitor social media accounts for suspicious activity. Consider using social media management tools to prevent unauthorized access.
  • Public awareness: Educate customers about the risks of cryptocurrency scams and how to identify fake websites and malicious links.

Recommendations For Users:

  • Be cautious: Be vigilant about suspicious links and unsolicited messages, especially on social media.
  • Verify information: Always verify information before clicking on any links, especially when it comes to financial transactions or cryptocurrency investments.
  • Protect your accounts: Use strong, unique passwords for all online accounts and enable MFA where available.

Enhanced Cybersecurity Measures for Strengthening Organizational Defenses

  • Conduct comprehensive scans for viruses and malware on all information systems within the ecosystem, and ensure they are updated with the latest patches after appropriate testing.
  • Establish necessary defenses against DDoS attacks, including investing in cloud-based DDoS protection services and implementing traffic filtering measures.
  • Implement stringent access control measures to restrict and monitor access to critical systems.
  • Maintain continuous monitoring of network activities and server logs to quickly identify and address suspicious and malicious activities within the organization's network.
  • Disable vulnerable services like Remote Desktop Protocol (RDP) and Server Message Block (SMB) by default on all critical systems. Remote access to networks hosting critical payment infrastructure should also be disabled by default, with restricted access granted on a need-to-know basis and appropriate monitoring. Remote logon activities should be restricted and closely monitored for potential unauthorized access whenever allowed.

References

Author

Abhishek Mathew

Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Scam
October 25, 2024

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.

Blog Image
Deep Fake Monitoing
Scam
Threat Intelligence
October 4, 2024

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Blog Image
Adversary Intelligence
July 22, 2024

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.

انضم إلى أكثر من 10,000 مشترك

تابع آخر الأخبار حول سلالات البرامج الضارة، وأساليب التصيد الاحتيالي،
مؤشرات التسوية وتسريب البيانات.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.
June 26, 2024
9
min
Table of Content
Example H2

Category: Adversary Intelligence

Industry: BFSI

Motivation:Financial

Region: India

Source*

B - Usually Reliable 

2 - Possibly true

Executive Summary

This is an ongoing report and we will keep on updating as we have more information

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

In the last year we have observed that hacktivist groups have the following techniques that they generally use:

  1. DDOS attacks - They use free tools and scripts sourced from github to attack their targets
  2. Breached Credentials - Hacktvist groups have realized that freely available credentials give them much more visibility. We have observed that groups have utilized customer credentials as well to garner attention
  3. .git/.svn/.env - Some threat actors have started scanning for these aforementioned endpoints to get environment variables or code repository which has been shipped to prod environment by mistake

Geopolitical Attacks

The ongoing Israel-Palestine conflict has fueled the activities of hacktivist groups, who have targeted Indian banks due to perceived political stances. The attacks have primarily focused on Distributed Denial of Service (DDoS) attacks aiming to disrupt online banking services and websites.

Screenshot of a poll conducted by one of the hacktivist groups 

Timeline of  Attacks on Indian Banks/Insurance firms:

  • February 21: Lulsezsec Indonesia claims to start targeting Indian banks.
  • June 6: A hacktivist group claims to have compromised a major Indian bank, however, the claim was later debunked as the target was an unrelated service.
  • June 7: The RADNET  group claims a DDoS attack against a indian  Bank

Screenshot of the attacks conducted by a hacktivist group

  • June 11: Multiple banks suffer DDoS attacks from the same RADNET hacktivist group.
  • June 21: Rippersec targets claims to target an Indian bank with a DDoS attack.
  • June 22: “Infamous” targeted an Indian headquartered Insurance firm and dumped PII data of ~150k customers
Screenshot of the forum posts made by a threat actor 

  • June 23: An Indian Wallet application/subscription management service was breached by a TA called  “billy100” ~110k customer PII details were dumped
  • June 23: Sulawesi Indonesia carries out a DDoS attack against another Indian Bank.
Screenshot of hacktivist groups targeting indian banks 
Screenshot of hacktivist groups targeting indian banks 


Screenshot of hacktivist groups targeting indian banks 

Please Note - Hacktivist groups are notorious for making claims to create chaos, at the time of writing this report most of these claims have been debunked and there was no spike noticed by the said banks/targeted banks. This happens because of the attention that they get in the pursuit of making these lofty claims.

Recommendations : 

  • DDoS Mitigation: Invest in DDoS protection services and implement effective mitigation strategies to minimize the impact of attacks. This includes:
  • Cloud-based DDoS protection: Utilize cloud-based solutions to distribute traffic and absorb attacks.
  • Traffic filtering: Implement firewalls and other security measures to filter malicious traffic and prevent it from reaching critical servers.
  • Rate limiting: Set limits on the number of requests allowed from individual IP addresses or specific locations to prevent excessive traffic.
  • Network optimization: Optimize network infrastructure for performance and resilience, ensuring quick recovery from DDoS attacks.

Credential Stealers and Social Media Takeovers

In recent weeks, there has been a rise in attacks where hackers hijack social media accounts of major Indian banks, primarily Twitter, and use them to promote cryptocurrency scams. Hackers employ various techniques to acquire these accounts, including:

Screenshot of another Indian Bank’s twitter account taken of by threat actors 

  • Credential stealers: Malicious software that steals usernames, passwords, and other sensitive data.
  • Underground forums: Online marketplaces where stolen account credentials are bought and sold.

Screenshot of a threat actor selling compromised  twitter accounts for crypto scams 

Once control is gained, the compromised accounts spread links to fraudulent crypto websites and "crypto drainers," malicious tools designed to steal cryptocurrencies from unsuspecting users. The scams often leverage the popularity of Elon Musk and other prominent figures to gain trust.

Screenshot of a underground marketplace selling twitter accounts 

Recomendations for Banks:

  • Enhanced security: Implement robust security measures to protect online banking platforms and social media accounts from DDoS attacks and credential theft. This includes multi-factor authentication (MFA), strong password policies, and regular security audits.
  • Social media security: Implement strong authentication protocols and monitor social media accounts for suspicious activity. Consider using social media management tools to prevent unauthorized access.
  • Public awareness: Educate customers about the risks of cryptocurrency scams and how to identify fake websites and malicious links.

Recommendations For Users:

  • Be cautious: Be vigilant about suspicious links and unsolicited messages, especially on social media.
  • Verify information: Always verify information before clicking on any links, especially when it comes to financial transactions or cryptocurrency investments.
  • Protect your accounts: Use strong, unique passwords for all online accounts and enable MFA where available.

Enhanced Cybersecurity Measures for Strengthening Organizational Defenses

  • Conduct comprehensive scans for viruses and malware on all information systems within the ecosystem, and ensure they are updated with the latest patches after appropriate testing.
  • Establish necessary defenses against DDoS attacks, including investing in cloud-based DDoS protection services and implementing traffic filtering measures.
  • Implement stringent access control measures to restrict and monitor access to critical systems.
  • Maintain continuous monitoring of network activities and server logs to quickly identify and address suspicious and malicious activities within the organization's network.
  • Disable vulnerable services like Remote Desktop Protocol (RDP) and Server Message Block (SMB) by default on all critical systems. Remote access to networks hosting critical payment infrastructure should also be disabled by default, with restricted access granted on a need-to-know basis and appropriate monitoring. Remote logon activities should be restricted and closely monitored for potential unauthorized access whenever allowed.

References

Abhishek Mathew
Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering

Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering

Related Blogs

No items found.