Suspicious messages asking State Bank of India (SBI) customers to redeem their SBI credit points worth Rs 9,870 have recently been around, according to the New Delhi-based CyberPeace Foundation, a group of thinking about cybersecurity.
The link associated with the SMS redirects the user to a fake website, and on the landing page, the customer is asked to submit personal and financial information such as name, registered cell phone number, email, his date of birth, card number, expiration date, CVV and MPIN in a “State Bank of India Fill Your Details” form.
The website’s domain name can be traced to India, and the titular state was Tamil Nadu, according to the CyberPeace Foundation report.
According to CyberPeace Foundation and Autobot Infosec Private Ltd report, “The fake site collects data directly without any verification and is registered by a third party instead of having the name of the registered organization of State Bank of India, this which makes it all the more suspicious. In addition, according to SBI, they never communicate with their customers via text messages or emails containing links on the user’s account, nor do any reputable banking entity use WordPress like the CMS technologies on their official website for security reasons.
In a source code analysis, the name of the site title was found to be “Home-Earn Redeem Points”. A tag found in the source code redirects users to a WordPress website, indicating that the website was created with WordPress and that the WordPress theme used is Sinatra, a lightweight and highly customizable multipurpose theme. The site’s WordPress administrative login page was also found while visiting the bogus website, according to the CyberPeace Foundation report.
It has also been observed that the form takes user input without performing basic data type validation. For example, the registered mobile number field, which should only accept numeric values, also accepts text input. Additionally, the card number field accepts an infinite number of digits instead of just sixteen digits, which SBI cards typically have.
The email password field displays the entered password in clear text instead of keeping the characters hidden, making it all the more suspicious.