Hackers target SBI customers with text phishing scam

Several State Bank of India’s (SBI’s) customers have become victims of a phishing scam, according to an investigation by New Delhi-based think tank CyberPeace Foundation and Autobot Infosec Private Ltd. The probe revealed that hackers targeted SBI users by sending suspicious text messages wherein they requested them to redeem their SBI credit points worth Rs 9,870, news agency IANS reported.

The message’s link redirected the bank’s customers to a fake website and asked users to submit personal information along with sensitive financial details like card number, expiry date, CVV and Mpin in a ‘State Bank of India Fill Your Details’ form. After the form is submitted, the user is directed to a “thank you” page.

The personal information included: name, registered mobile number, email, email password and date of birth, CyberPeace Foundation said.

The probe also found other suspicious elements on the fake website link, which proved that the entire thing is a phishing attack. For instance, the form took user inputs without performing basic validation of data type. The registered mobile number field, which should only accept numerical values also accepted text input.

Additionally, the email password field reflected the entered password in clear text instead of keeping the characters hidden.

Similarly, the card number field accepted an infinite number of digits instead of only 16 digits, which SBI cards usually have.

The foundation also added that SBI never communicates with their customers via SMS or emails containing links with regard to the user’s account. Besides, a reputed bank also does not use WordPress like CMS technologies on their official website for security reasons.

The think tank in its report pointed the fake website collected data directly and was registered by a third party and not SBI. It claimed the domain name of the website has been traced to Tamil Nadu.