Scammers Getting Smarter! F.T. YONO SBI Phishing Scam

This is my story of how I dodged a YONO SBI bank phishing/smishing scam.

This isn’t my first encounter with a phishing scam, but it’s been a while since I’ve received such messages. Today, however, I received one that particularly caught my attention. It’s both alarming and intriguing, prompting me to share my experience.

The story

It was a typical sunny afternoon, and I was going about my usual activities when a text message flashed on my phone, seemingly from a local number. Assuming it might be a friend trying to reach me, I promptly opened the message. To my surprise, it was about reward points totaling Rs. 7854 (which is too good to be true for me) set to expire soon in YONO. Here’s how the message appeared:

Now, this text message raises serious suspicions. Not only are there numerous grammatical errors, but it also lacks any mention of the SBI account number associated with the expiring reward points. Additionally, it originates from a local number, whereas SBI typically sends messages from a company-assigned number. Interesting, isn’t it? But the real fun lies within the provided URL in the message: https://bitly.ws/3e5CdLet’s see what we have there in the URL…

The Investigation

To dig deeper into the deal, I began by copying the URL and opening it in an isolated virtual machine. Here’s what I discovered. It’s a seemingly legitimate YONO SBI page, poised to capture victims’ credentials.

Things to note-

1. The redirected URL (https://tfw-8hbt67y.pages.dev/s1) appears to bear no relation to SBI whatsoever, confirming its status as a fake website.
2. Furthermore, the webpage title, “wellcome online,” seems to contain a grammatical error which is not supposed to be.

Now that it appears highly suspicious, why not run it through a URL scanner?

And here it is, this is actually a malicious website that has been flagged for suspicious activity targeting State Bank of India . So now it’s clear that the website is both malicious and fake.

Lets also run it through Virus Total.

It has been flagged for phishing and malicious activity on VirusTotal as well, confirming our suspicions further.

Time for some excitement

Okay, let’s have some fun. How about we input some fake details into the website and observe its response?

After entering the fake credentials, it lands on the second page where a fake verifying GIF, which appears to be verifying the data but is actually doing nothing, continues to play for a few seconds until it redirects to the next page…

On the third page, it asks for an imaginary OTP. You can enter any OTP of your choice; it doesn’t need to be true or false.

The fourth page is for verifying the customer’s name and date of birth again.

Again the same OTP drama on the fifth page..

So-called “verifying” indeed…

Look, it says we’ve entered a so-called ‘invalid’ input… OMG.”

Even after entering an imaginary OTP, it still redirects to the eighth page to gather the PAN details.. So Awesome, isn’t it ?

Again the same invalid OTP drama for the next two pages (9,10)..

Time to give away our Aadhar details 🥹..

Again the same repetitive invalid OTP drama 🤦‍♂️

The thirteenth page is the end of all. Everything comes to an end on this final page 🥹

The attacker is now satisfied with all the personal credentials he collected throughout this drama 🤣..

Lessons learned

1. Stay Vigilant: Always be cautious of unexpected messages or emails, especially those requesting personal information or urging immediate action.
2. Verify URLs: Before clicking on any links, verify the authenticity of the URL by checking for spelling errors or unusual domain names. Use URL scanners and security tools to assess the legitimacy of websites.
3. Grammatical Errors: Pay attention to grammatical errors or inconsistencies in messages and web pages. Legitimate organizations usually maintain a high standard of communication.
4. Suspicious Behavior: Be wary of websites or pages that exhibit suspicious behavior, such as asking for sensitive information without proper verification processes.
5. Use Security Tools: Utilize security tools such as URL scanners, antivirus software, and phishing detectors to protect against online threats.
6. Report Suspicious Activity: Report phishing attempts, suspicious websites, or fraudulent activity to the relevant authorities or organizations to help prevent others from falling victim to scams.

I hope you found this blog helpful. Thank you for reading. Let’s combat phishing by spreading awareness. Together, we can empower others to recognize and avoid these scams.

Stay tuned for the next part of the blog, where we’ll explore reporting and taking down this phishing website.

Thanks for your support :)