CloudSEK’s contextual AI digital risk platform XVigil discovered an unprecedented, sophisticated phishing technique, commonly known as Browser-in-the-Browser (BitB) attack, that has been targeting Government websites across the world, including India.
Attackers utilise the BitB attack, which is the newest and most advanced phishing technique, to imitate browser windows, most often SSO pages, with a unique login. BitB attacks imitate legitimate sites in order to steal user credentials as well as other sensitive data, such as personally identifiable information (PII).
The BitB attack begins when users attempt to connect to a website and click on a malicious link that looks to them as an SSO login pop-up window.
When users visit the supplied link, they are prompted to log in to the website using their SSO credentials. After there, the victims are sent to a bogus website that looks exactly like the SSO page.
Threat actors have been targeting the Indian government web https://india.gov.in, and utilising a bogus URL (http[:]/weserv38573w7[.]xyz/?c=100) to trick users into submitting sensitive information such credit card numbers, expiration months, and CVV codes.
The new URL that pops-up as a result of the BitB attack, https://india.gov.in/topics/home-
affairs-enforcement/police, appears legitimate. The actors have also replicated the original
page’s user interface. Once their victims click into the phishing page, a pop-up appears on the
phoney window claiming that their systems have been blocked, posing as a notification from
the Home Affairs Enforcement and Police.
They are notified of their excessive use of pornographic websites, which is illegal under Indian law, and are requested to pay a fine of INR 30000 to unlock their systems. They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound.
The information that the victims enter into the form is transferred to the attacker's server.
Once the attackers get the card information, it might be sold to other buyers in a larger
network of cyber criminals, or the victim could be extorted for extra money.
