A joint effort between a company’s pentesting team and the Kerala Police Cyber unit uncovered a sophisticated scam targeting the State Bank of India (SBI), one of the largest banks in India with over half a billion customers worldwide. The scam, which utilized social engineering tactics, involved sending SMS or Whatsapp messages alerting recipients of a security issue with their account and prompting them to download a fake Android app (.apk file) masquerading as a SBI-related application.
The fake app, disguised under SBI’s YONO brand, operated surreptitiously on users’ devices, collecting sensitive information such as account numbers, card details, and passwords. The fraudulent app then spoofed SBI’s login page to deceive victims into inputting their credentials, which were promptly forwarded to the attackers. Subsequently, when the bank sent a second authentication factor via SMS to verify transactions, the malicious app intercepted the SMS and redirected it to a phone number controlled by the attackers. Armed with the stolen credentials and the second factor, the attackers gained unauthorized access to victims’ accounts, enabling them to siphon funds undetected.
The investigation discovered a well-organized operation with over 100 sub-domains tailored to different victims and a rotating array of unique phone numbers to facilitate the scam. The industrial-scale fraud scheme targeted at least 100 new victims weekly, highlighting the pervasive threat posed by such sophisticated cybercriminal activities. Despite ongoing investigations, the full extent of the scam’s impact remains unknown, suggesting a potentially widespread impact affecting tens of thousands of individuals.
The incident underscores two key vulnerabilities in the security landscape. Firstly, the ease of sideloading .APK files on Android devices, despite existing safeguards, exposes users to the risk of malicious app installations. In contrast, the stringent controls on iOS devices make it significantly more challenging to install unauthorized apps, enhancing the platform’s security profile. Secondly, the reliance on SMS for second-factor authentication raises concerns regarding its susceptibility to exploitation, especially in financial institutions and apps handling sensitive data. While some banks, like HSBC, are transitioning to more secure authentication methods, the prevalence of SMS-based verification remains a pressing issue in the financial sector.
In response to evolving cybersecurity threats, the concept of “zero trust” has gained traction in enterprise environments, emphasizing continuous verification and access controls. Additionally, major tech companies are introducing innovative authentication solutions, such as passkeys, to enhance security and combat password fatigue. The call for financial institutions to prioritize cutting-edge authentication mechanisms and phase out outdated practices highlights the urgency of safeguarding consumer assets from large-scale theft and fraud.
In conclusion, the collaborative effort between businesses and law enforcement agencies in uncovering and addressing sophisticated cyber threats is essential in safeguarding financial institutions and consumer data. By embracing modern authentication technologies and adopting a proactive security posture, organizations can mitigate risks and protect against increasingly complex cyber threats targeting the digital ecosystem.