Category: Adversary Intelligence	Industry: Government	Motivation: Financial	Region: India	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Social engineering campaign impersonating electricity officials to notify customers about pending bills. Victims are persuaded to disclose sensitive information and download third-party applications.	PII can be exploited to conduct banking frauds and other social engineering attacks. Third-party apps can be used to gain access to the victim’s device and alter details.	Send awareness notifications to customers informing them about the official messages and helpline numbers. Harden the payment portal for the customers to pay the dues.

Analysis and Attribution

Information from the Post

• CloudSEK’s AI powered Digital Risk Protection (DRP) Platform discovered a social engineering campaign launched by threat actors impersonating the official employees of KSEB (Kerala State Electricity Board).
• The campaign was carried out via text messages which requested the customers to connect with a particular number for assistance with their electricity bill payment.
• Upon contacting the given number, victims were instructed to download applications for quick support or to click on URL links, which later compromised the victim's device and banking applications.
• Victims of this campaign suffered significant financial losses totaling more than INR 10 lakhs.

Messages sent to the customers

Information from OSINT

• The following three numbers were highlighted in messages sent by the threat actor to customers via WhatsApp and SMS.
  • 7365038099
  • 8388924157
  • 7908919532
• Using the database of a smartphone application, the following details about the connected numbers were uncovered:
  • All three numbers had the same geolocation, i.e West Bengal, India. This hints at the possible geolocation of the scammers.
  • The mobile number “8388924157” was associated with an ongoing criminal case in Patna Sadar, Bihar. The next hearing of this case is scheduled for November.

[caption id="attachment_20428" align="aligncenter" width="615"] Ongoing case filed against 8388924157[/caption]  

• • The mobile number "7365038099" was seen in a conversation between the affected victims, divulging the TTPs used by the actors and mentioning the scam which resulted in gaining access to WhatsApp (yet to be verified).

[caption id="attachment_20429" align="aligncenter" width="690"] Conversation between affected customers[/caption]  

• • According to data from a payment gateway and an application, the following two names were found associated with the number "7365038099":
    • Sanif Aktar
    • Vijay Vijay Shrma
  • One of the numbers associated with this fake campaign was also found to be associated with the campaign against PAYTM.

Techniques, Tactics, and Procedures (TTPs)

• The threat actors are targeting customers of KSEB via text messages and WhatsApp.
• The message templates are designed in a way to create a sense of panic. They carry clauses warning that if the pending bills are not paid by 9:30 p.m., there will be a power outage.
• The messages also mention a number to contact the officials from the electricity board for further assistance.
• The scammers are experienced enough to convince the victims to divulge sensitive details like OTP credentials.
• Once the OTP/credentials are shared, it leads to a loss of funds from the victim’s account.
• After successfully stealing the victim’s money, the scammers continue to communicate with them and further convince them to download third-party applications, leading to complete access to the victim’s device.
• This access is later used to completely take over the device and alter the details as required.
• According to the information gathered from the case filed, it can be concluded that the scammers are experienced in executing social engineering campaigns against various entities.
• The scammers have the technical knowledge required to work with applications like RemoDroid, QuickSupport Application, AnyDesk, and other remote control applications.

Impact & Mitigation

Impact	Mitigation
Financial loss to the victims. PII can be exploited to conduct banking frauds and other social engineering attacks. Third-party apps can be used to gain access to the victim’s device and alter details. Actors were luring the victims to divulge the OTP in order to gain access to WhatsApp.	Awareness notification to be sent out to customers about the official messages and helpline numbers. Harden the payment portal for the customers to pay the dues. Monitor cybercrime forums to understand the tactics used by actors.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://services.ecourts.gov.in/ecourtindia_v4_bilingual/cases/case_no.php?state=D&state_cd=8&dist_cd=1#
• https://districts.ecourts.gov.in/sites/default/files/E-filing_05-11-2020.pdf
• https://english.mathrubhumi.com/news/kerala/kseb-1.6382303
• https://www.thehindu.com/news/national/kerala/kseb-warns-against-online-scams/article37998551.ece
• https://english.mathrubhumi.com/news/kerala/kseb-1.6382303
• Zoho Form Service Leveraged to Exfiltrate Sensitive PII from Banking Customers

Appendix

Geolocation Information of the three contact numbers [caption id="attachment_20433" align="alignnone" width="785"] Details of the case against 8388924157[/caption]   [caption id="attachment_20434" align="alignnone" width="876"] Details of the case against 8388924157[/caption]     [caption id="attachment_20437" align="aligncenter" width="717"] The number associated with PAYTM fake campaign[/caption]   [caption id="attachment_20438" align="aligncenter" width="948"] Report on financial loss suffered by the victims of the campaign[/caption]   [caption id="attachment_20440" align="alignnone" width="645"] Google Play reviews about the remote control Quick Support applications used by the scammers[/caption]