The Comodo Threat Research Labs (CTRL) team has identified a phishing attack that was targeted specifically at ICICI Bank and its customers, India’s largest private bank with more than 4,000 branches across the country.
As part of a targeted phishing campaign, fake emails were being sent disguised as official emails from the company, asking recipients to update their banking details and information and stating that the information needed was mandatory.
The fake emails were being sent from the sender address “ICICI Bank < email@example.com >,” which, at first glance, would seem to be a legitimate email address – but looking closely, the domain name is clearly not related to the company at all. This should be warning sign no.1 for potential victims of this (and other) phishing campaigns.
Within the email itself (image 1 below), the cybercriminals were asking potential phishing victims to click on a mandatory hyperlink, where they were asked to fill in their personal and professional information related to their banking with ICICI.
When the potential phishing victim clicked the hyperlink, it took them to a landing page where they would select if they were updating their personal information or their corporate information (image 2).
Either one the potential victims click, would have taken them to a new landing page (image 3), where they were asked to confirm key pieces of financial information such as user ID, password, transaction password, debit card number, email ID and email password.
Potential phishing victims should be sure to look at the URL of any site that is asking them for this type of critical information. In this case, the information for ICICI was originally hosted on a site that is not at all affiliated with the company (http://www.gomiapp.com/app/). As of this blog post, this phishing site has now been taken down and logging on reveals “page not found” – but this site could easily appear again in another targeted phishing campaign at a different website with similar content.
In speaking with ICICI bank, they have issued the following information that they also wanted to share with the public:
“ICICI Bank has a robust and multi-level security system for all its banking channels including our internet banking to safeguard our customers from fraudulent attacks including phishing. The phishing page which was hosted on the third party website does not exist and hence, it does not pose any threat to our customers. In addition, we have a proactive monitoring process to detect such phishing page/site, which are immediately brought down. In order to expand the vigilance, we even request our customers to bring to our notice as and when they come across any such phishing site. ICICI Bank never asks personal, account or financial information from our customers via e-mail or by directing them to a link online. On an ongoing basis, the Bank advises its customers to not reveal their details to anyone. Readers and customers are requested to forward such e-mails to firstname.lastname@example.org along with your contact details.”
Trying to represent the colors, logos and feel of official websites is an area cybercriminals are proficient in. The Comodo team identified the ICICI phishing email through IP, domain, URL analysis and image analysis and has notified the communication office of ICICI of its findings.
“Through our specific IP and URL analysis – as well as the Comodo Threat Research Labs’ continuous monitoring and scanning of data from the users of Comodo’s security systems, our team was able to identify this specific phishing email scam and alert the public to it,” said Fatih Orhan, director of Technology for Comodo and the Comodo Threat Research Labs. “As a company, we work diligently to create innovative technology solutions that stay a step ahead of the cybercriminals and keep enterprises and IT environments safe.”
The Comodo Threat Research Labs (CTRL) is made up of more than 40 IT web security software professionals, ethical hackers, computer scientists and engineers, all full-time Comodo employees, analyzing and filtering spam, phishing and malware from across the globe. With offices in the U.S., Turkey, Ukraine, the Philippines and India, the CASL team analyzes more than 1 million potential pieces of phishing, spam or other malicious/unwanted emails per day, using the insights and findings to secure and protect its current customer base and the at-large public, enterprise and Internet community.
IMAGE 1: Initial phishing email
From: ICICI Bank <email@example.com>
Subject: Please Update Your ICICI Bank Details
IMAGE 2: Selecting which account
IMAGE 3: Where the information is stolen by the cybercriminals