Scammers monitor user complaints on Twitter to target Indian citizens, according to the recent research by Cyble Research and Intelligence Labs.
The team observed crooks checking tweets for potential complaints highlighting issues on Twitter to extract valuable information from victims.
Another similar scam involves the Indian Railway Catering and Tourism Corporation (IRCTC). Threat actors operate in a similar manner: they check Twitter complaints about the IRCTC to look for user contact information and get in touch with them directly.
After doing that, cybercriminals pose as an IRCTC customer support representative to ask for personal information, including the Train PNR number, order number, refund amount, and payment method.
Even assuming the victim cannot provide the requested information, scammers can use various methods to extract money.
As such, they were observed sending out SMS with an activation code and asking victims to forward it to a requested number. They would also request personal information, including which UPI payment app they used. Crooks can then link the victim’s mobile number or account to their own device through UPI, according to the researchers.
Alternatively, threat actors might request basic information over the phone and ask for more sensitive data via a Google form to gain credibility.
“The mobile number of the scammer has negative comments related to the scam on Truecaller, and they have used the Indian Railway logo as their WhatsApp profile picture in an attempt to convince victims that they are a legitimate IRCTC customer support representative,” researchers explain.
Cybercriminals also utilize WhatsApp to send malicious files or links to malicious APK files titled “IRCTC customer.apk,” “online complaint.apk,” or “complaint register.apk,” aiming to trick victims into providing financial details and sometimes even their One-Time-Passwords (OTPs) used for two-factor authentication (2FA) implemented by banks.
Cyble Research and Intelligence Labs also discovered a phishing site hxxps://mycomplainquery[.]in, which poses as a customer support service that attempts to make users reveal banking data and install a malicious application to track the complaint status. This application can be used to steal incoming text messages from the infected device.
More from Cybernews:
Subscribe to our newsletter