Profile picture
, 15 tweets, 9 min read
My Authors
Read all threads
Abusing the #Coronavirus & #COVID19outbreak, another phishing site emerges trying to collect bank login details of India citizens
The site incometaxefilingsindia[.]in was registered today 28/04/2020 with domain registrar @openprovider
The abuser has hosted the site on server with IP 45.87.81[.]14 which belongs to @HostingerCOM.
It also has another lookalike phishing site incometaxefilingindia[.]in
& registered legit looking sites & hosted them on same server. Of course, can't be established if owner is same.
The phishing site has official logo of @IncomeTaxIndia & image of @narendramodi @PMOIndia.
It starts with collecting personal details & upload of copies of govt issued sensitive documents like PAN, Aadhaar & passport
The last tab is to collect the bank login details.
After submitting info, document copies & bank details, it then goes on to say the Verification is PENDING. Asking users to download an Android app to verify the documents. At this moment, user has already submitted bank login details.
If bank has not enabled additional verification or OTP then the user would definitely lose his money.
Now the APK file is hosted on a shared web hosting provider https[:]//filetransfer.io/premium?_fid=3bc8 and I could no longer download the file, to check and disassemble.
The criminal also has a very helpful video guiding the user on how to download and operate the app.
Already sent emails to abuse contacts of @openprovider @HostingerCOM & registrar[.]eu.
Also copied @IndianCERT & @IncomeTaxIndia. Not sure how many days or weeks would it take to bring the phishing site down.
Reported the phishing site to Google's Safe browsing site safebrowsing.google.com/safebrowsing/r… Which is used by both @firefox & @googlechrome. Hope they take action & block at the browser level itself.
Hope @CybercrimeCID @CyberDost @GoI_MeitY @FinMinIndia @RBI @nsitharaman also takes note.
Got response from @openprovider the domain registrar. They say my email complaint has been forwarded to the domain owner asking him to take action.
@googlechrome & @firefox has already blacklisted the site
And either the hosting provider @HostingerCOM or the phishing site owner himself has removed the A entries for the site.
@HostingerCOM confirmed to me that the abusive account has been suspended.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Niranjan Patil

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Coronavirus #COVID19outbreak

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!