Executive Summary

Security researchers at Trend Micro have identified an ongoing and large-scale attack targeting the customers of seven major banks in India. The campaign is notable for its coordinated nature, employing five different families of banking malware. The primary goal of the attackers is to harvest sensitive financial information, including online banking credentials and credit card data. The attacks are initiated through phishing campaigns that lure unsuspecting victims to fraudulent websites. This operation signifies a substantial and active threat to the Indian financial ecosystem and its customers.

Threat Overview

• Target: Customers of seven major, but unnamed, banks in India.
• Objective: Theft of financial data, including banking credentials and credit card information.
• Methodology: The campaign relies on classic phishing techniques.
  1. Distribution: Victims receive messages (likely via email or SMS) containing malicious links.
  2. Redirection: Clicking the link redirects the user to a fraudulent website controlled by the attackers.
  3. Credential Harvesting: These websites are designed to look like legitimate bank login pages, tricking users into entering their usernames, passwords, and other sensitive information like credit card numbers, CVVs, and expiration dates.
• Malware: The campaign utilizes five distinct families of banking malware. While not named, these are likely designed to perform tasks such as keylogging, screen scraping, and intercepting one-time passwords (OTPs).

Technical Analysis

This campaign, while not technically novel, is dangerous due to its scale and coordination.

• Multi-Malware Approach: The use of five different malware families suggests either a single, well-resourced threat actor or a coalition of actors sharing infrastructure. This diversity can help them evade signature-based antivirus detection and target different types of devices or user profiles.
• Phishing Kits: The attackers are likely using sophisticated phishing kits that make it easy to replicate convincing fake bank websites. These kits often include logic to validate data formats (e.g., credit card number length) to increase the quality of stolen data.

MITRE ATT&CK Mapping

Impact Assessment

• Financial Loss for Customers: Victims are at high risk of having their bank accounts drained or their credit cards used for fraudulent purchases.
• Identity Theft: The stolen personal credentials can be used for broader identity theft.
• Erosion of Trust: Large-scale campaigns like this can erode customer trust in digital banking services, impacting the broader economy.
• Cost to Banks: The affected banks will incur costs related to fraud reimbursement, customer support, and enhanced security measures.

Detection & Response

• Brand Monitoring: Banks should actively monitor for fraudulent domains and fake social media profiles that are impersonating their brand.
• Web Filtering: Users and corporations should use web filtering tools that block access to known phishing sites.
• Transaction Monitoring: Banks' fraud detection systems should monitor for anomalous transaction patterns that could indicate a compromised account.

Mitigation

• User Education: This is the most critical defense. Users must be educated to be suspicious of unsolicited messages, to never click on links from unknown senders, and to always verify the URL of a website before entering credentials. They should be taught to navigate to their bank's website directly.
• Multi-Factor Authentication (MFA): While some banking malware can intercept SMS-based OTPs, MFA remains a crucial layer of defense that can thwart simple credential theft.
• Email and SMS Filtering: Implement robust filtering at the carrier and email gateway level to block phishing messages before they reach the user.