CERT-In Responds to Income Tax SMSshing AttackPractitioners say SMSshing on the Rise as Mobile Banking Increases
Reports on incidents related to fake SMS purportedly from income tax department have surfaced forcing cyber cops as well as CERT-In to issue advisory. This comes at a time when the income tax filing season is on. The deadline to file income tax return is August 31. Knowing very well that citizens expect communication from the tax department in these months, the SMS lured people into giving out their personal details by stating that their income tax fund refund has been approved.
According to news reports, the SMS message issued to the income tax payee states, "Your income tax refund will be credited to your bank account number XXXXX. If the account number mentioned is incorrect, please visit the link to update your bank account details".
Taking cognizance of the wide reach of the phishing racket, the Computer Emergency Response Team (CERT-In) has warned people as well as has issued advisory on how to spot fake SMS. "Once a person clicks on the link mentioned in the fake SMS, he/she runs the risk of either his/her personal detail being put up on sale the dark web, or even their I-T department records altered by using their e-filing credentials," says CERT-In.
Practitioners term this as a phishing attack with most agreeing that these kind of crimes are on the rise because they are too easy to launch and far too lucrative for the attackers. (See: RSA Fraud Report: Newsjacking-Based Phishing on the Rise)
Phishing is an easy way to perpetrate an attack, says Pavan Kushwaha, founder and CEO at Kratikal Tech, a managed security services company. "From a criminal's point of view it is both tough and time consuming to break through a complex security system," Kushwaha says. "Phishing attacks are easy to launch and chances of people falling prey is very high," he says.
The Modus Operandi
The fraud message reads to the recipient to verify the given bank account number and if found wrong, then visit the shortened bit.ly link given in the message to update his bank record. It's the bit.ly link that leads to phishing web-pages. "Since the bank account number in the SMS is wrong, a number of recipients are enticed to click on the website link. Clicking on the link in the SMS, opens a website which is lookalike to the Income Tax department e-filing website," CERT-In states.
The recipient is asked to enter his bank details to complete his income tax refund application and then enter his login ID and password on the next phishing web-page. Therefore, the details entered by the victim SMS recipient are harvested as sensitive data by the cyber criminals running this campaign for a later use in identity-thefts or for putting up for sale on the dark web or for even altering the user's details in the Income Tax Department's records, CERT-In says.
"Using the same details, fraudsters can call up unsuspecting citizens posing as I-T officials and cheat them out of money by convincing them that there have been 'irregularities' in their I-T returns and they need to pay fines," says Balsing Rajput, superintendent of police, Maharashtra Cyber Crime to the Hindu. "This scam does not even need to be perpetrated by the original scamsters. They can simply sell the data in bulk to gangs involved in such activities, which happens quite often on the darknet," Rajput says.
A senior tax department official told the Press Trust of India that the department is aware of these malicious SMS-based and online attacks on personal taxpayers and others and they are in touch with the CERT-In authorities and have also issued public advisories in this context. The advisory has also stated some do's and dont's.
"We have not received any formal complaint. So there is no investigation on from our end. People informed us and along with CERT-In we have issued advisory," Rajput informs ISMG.
It's a known fact that data sold in the dark web fetches huge amount, depending on the demand. The most commonly sold data in the dark web are CVV number, bank account details, fulz (a combination of data of birth, social security number, bank account number), online payment service login information etc.
A Common Crime
Phishing attacks are one of most common methodology in cybercrime. In fact of late phishing attacks are getting more and more targeted. According to Brendon Rod, chief strategist, Ironscales, a company in anti-phishing technologies,'70 percent of attacks are targeting just 10 mailboxes or less and around 30 percent are just targeting one mailbox.
Tax-themed scams and social engineering attacks are very common and every year something or the other gets reported. According to data from the Central Board of Direct Taxes from the Central Board of Direct Taxes 6.84 crore Indians paid taxes in 2017-18. Though there are in the no official figures on how man income tax SMSshing cases have been reported so far, the sheer number of tax payers in the country gives an idea of the scale of this scam.
According to a blog by Microsoft, these attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules. The U.S. Internal Revenue Service last week warned of last-minute email scams.
Cybercriminals are using a variety of social engineering tactics related to different scenarios associated with tax filing, in order to get you to click links or open malicious attachments.
SMiShing is increasingly becoming an attractive tactic for cybercriminals to distribute scams, thanks to uptake of mobile banking.
PayPal was another recent target where users received text messages from the PayPal message ID claiming that their payment of $999.99 had just been declined. As we've seen in the past, phishing has forced the improvement in browser defenses against such attacks. Now, the mobile SMS interface is being increasingly used to communicate to customers, and the interface and protocols behind them have a long way to go.
CISOs must take a cue and spread awareness amongst employees with regard to both phishing and SMSshing scams. They must conduct mock phishing scenarios. They must encourage employees to use an antivirus solution, schedule signature updates, and monitor the antivirus status on their equipment.