IRCTC and multiple Indian Banking Users at Risk
Twitter is a popular social media platform that allows people from all walks of life to share their thoughts, ideas, and experiences with others. Users can express their opinions, ask questions, and share their knowledge with a wide audience.
With its reach and influence, Twitter has become a powerful tool for communication and connection. Additionally, Twitter has become a platform for users to voice their complaints and bring attention to issues that matter to them.
Recently, Cyble Research and Intelligence Labs discovered a scam that is targeting citizens in India. The scammers use Twitter to find potential victims by monitoring user complaint tweets. These tweets, which are meant to bring attention to issues and problems, are being exploited by cybercriminals to target their victims.
We also noticed a scam involving the Indian Railway Catering and Tourism Corporation (IRCTC). The scammers seem to monitor Twitter for complaints about the Indian Railway, and when they find a victim’s contact information, they will call to initiate the scam.
The figure below shows one example of a complaint tweet posted by a user and the subsequent call received by the scammer.
Upon seeing the victim’s tweet, the scammer pretends to be an IRCTC customer support representative and calls the victim to request personal information such as the Train PNR number, order number, refund amount, and payment method.
Even if the victim fails to provide the requested information, the scammer continues their efforts to successfully carried out financial fraud using various techniques.
The same victim may also be targeted by multiple scammers, who may use different tactics to gain control of the victim’s bank account through UPI fraud. Some examples of UPI frauds that scammers may use are:
Linking victim’s mobile number or account through UPI to scammer device:
In this case, the scammer contacted the victim over call and requested personal information, including which UPI payment app they used. The scammer sent an SMS during the call with an activation code, as shown in Figure 2.
Once the victim receives the message, the scammer asks them to forward an SMS to a specific number.
According to the article on UPI fraud by RazorPay, the scammer can link the victim’s mobile number or account to their own device through UPI once the victim forwards the received message. The screenshot below shows the scammer’s call history and the verification code received during the call.
Scammers send the Google form to collect sensitive information:
In certain instances, the scammer may request basic personal information from the victim to avoid arousing suspicion and will send a Google form to collect sensitive details, including the victim’s mobile number, UPI PIN, and other personal information. The figure below shows an example of this:
The mobile number of the scammer has negative comments related to the scam on Truecaller, and they have used the Indian Railway logo as their WhatsApp profile picture in an attempt to convince victims that they are a legitimate IRCTC customer support representative.
Scammer sends a phishing link or malicious APK file on WhatsApp:
Scammers have been using Android malware in addition to other fraudulent tactics. They may send a phishing link that downloads a malicious APK file to infect the device, or they may send the malicious file via WhatsApp.
Scammers use such malicious APK files with names like “IRCTC customer.apk,” “online complaint.apk,” or “complaint register.apk” to trick victims into revealing their net banking credentials, UPI details, credit/debit card information, and sometimes even their One-Time-Passwords (OTPs) used for two-factor authentication (2FA) implemented by banks.
Related to the same scam, CRIL came across a phishing site hxxps://mycomplainquery[.]in, which pretends to be the customer support site and prompts victims for basic information such as name, mobile number, and complaint query.
The phishing website prompts the user to input the refund amount upon providing the required information. It later offers various payment options, including credit cards, online banking, and the Unified Payments Interface (UPI).
After the victim chooses the payment option on the phishing site, victims are asked to enter sensitive banking information such as their UPI identification, UPI personal identification number, net banking login details, credit card information, and debit card details. This stolen data is then sent to the Command and Control (C&C) server.
After obtaining sensitive banking information, the phishing site may ask the victim to install a malicious application to track the complaint status. However, this application will also be used to steal incoming text messages from the infected device.
Technical Analysis
APK Metadata Information  
- App Name: complain register
- Package Name: com.my.update
- SHA256 Hash: f952c05d9df163cdc96938222c197ea10c9250b3e548a880b0c52faa9c4d6e28
The below figure shows the metadata information of the application. 
The malicious application will ask the victim to grant SMS permission upon installation. It will then display a complaint tracking page and encourage the victim to enter their complaint number, email address, and phone number.
The malware includes a SMSReceiver in the Manifest file, which allows it to collect incoming SMS messages on an infected device and send them to a command and control (C&C) server at hxxps://mycomplainquery[.]in/api/message.
The malware also connects to the endpoint hxxps://mycomplainquery[.]in/api/phone to receive the phone number to send incoming SMS messages.
The IP address “217.21.94[.]24” was found to be hosting the C&C server hxxps://mycomplainquery[.]in and communicating with the malicious APK file “icici.apk”.
This APK file was part of a campaign that distributed info stealer malware to target Indian bank customers as part of a reward scam. The connection between the IP address and the APK file suggests that the same threat actor is behind both scams.
In addition to targeting IRCTC users, these scammers have also been targeting users of various users from other brands and organizations such as MobiKwik, Spicejet, and Indian banks. When users report complaints on social media, scammers take advantage of the opportunity to carry out phishing attacks by asking them to download malicious files to file their complaints and steal their funds from bank accounts.
Some examples of this can be seen in the below image from different users who have experienced this tactic.
We have observed a group of financially motivated scammers based in India responsible for this scam. The same victims receive calls from different scammers, each time pretending to be a customer support representative, claiming to initiate the transfer of funds, and stealing money from their bank accounts using different fraud tactics. This suggests that scammers attempt to deceive and defraud their targets for financial gain.
Conclusion
The reward scam began in late 2020 and targeted various Indian banking users through different themes. Recently, CRIL noticed that the scammers behind the reward scam have started monitoring users’ refund complaints on social media to identify potential victims and steal their funds using various techniques. This demonstrates how cybercriminals are constantly finding new ways to exploit people’s online activity and use it to their own benefit.
It is important for users to be aware of these scams and to be cautious when providing personal information or downloading files online.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- IRCTC or other legitimate organizations never ask for a Card PIN or UPI PIN with other banking information; avoid sharing such information over call.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Persistence | T1402 | Broadcast Receivers |
| Collection | T1412 | Capture SMS Messages |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| f952c05d9df163cdc96938222c197ea10c9250b3e548a880b0c52faa9c4d6e28 | SHA256 | Hash of malicious APK |
| bf0cbcea2df55ca0a0bdebec8f615bb71eba4636 | SHA1 | Hash of malicious APK |
| f4a6093132a4765ffe9115f3bb386f6b | MD5 | Hash of malicious APK |
| hxxps://mycomplainquery[.]in | URL | Android Malware Distribution URL & C&C server |
