CRIL Uncovers a New Wave of Browser-Based mostly e-Challan Phishing Powered by Shared Fraud Infrastructure.
Following our earlier reporting on RTO-themed threats, CRIL noticed a renewed phishing wave abusing the e-Challan ecosystem to conduct monetary fraud. Not like earlier Android malware-driven campaigns, this exercise depends solely on browser-based phishing, considerably reducing the barrier for sufferer compromise. In the course of the course of this analysis, CRIL additionally famous that comparable faux e-Challan scams have been highlighted by mainstream media retailers, together with Hindustan Occasions, underscoring the broader scale and real-world influence of those campaigns on Indian customers.
The marketing campaign primarily targets Indian car house owners through unsolicited SMS messages claiming an overdue visitors positive. The message features a misleading URL resembling an official e-Challan area. As soon as accessed, victims are introduced with a cloned portal that mirrors the branding and construction of the legit authorities service. On the time of this writing, lots of the related phishing domains have been energetic on the time, indicating that that is an ongoing and operational marketing campaign relatively than remoted or short-lived exercise.
The identical internet hosting IP was noticed serving a number of phishing lures impersonating authorities providers, logistics corporations, and monetary establishments, indicating a shared phishing backend supporting multi-sector fraud operations.
The an infection chain, outlined in Determine 1, showcases the phases of the assault.
Key Takeaways
- Attackers are actively exploiting RTO/e-Challan themes, which stay extremely efficient in opposition to Indian customers.
- The phishing portal dynamically fabricates challan knowledge, requiring no prior victim-specific info.
- The fee workflow is intentionally restricted to credit score/debit playing cards, avoiding traceable UPI or internet banking rails.
- Infrastructure evaluation hyperlinks this marketing campaign to BFSI and logistics-themed phishing hosted on the identical IP.
- Browser-based warnings (e.g., Microsoft Defender) are current however incessantly ignored as a consequence of urgency cues.
A way of urgency, evidenced on this marketing campaign, is often an indication of deception. By demanding a consumer’s speedy consideration, the intent is to make a possible sufferer rush their job and never carry out due diligence.
Customers should accordingly train warning, scrutinize the area, sender, and by no means belief any unsolicited hyperlink(s).
Technical findings
Stage 1: Phishing SMS Supply
The assault we first recognized began with victims receiving an SMS stating {that a} visitors violation positive is overdue and should be paid instantly to keep away from authorized motion. The message contains:
- Threatening language (authorized steps, supplementary fees)
- A shortened or misleading URL mimicking e-Challan branding
- No personalization, permitting large-scale supply
The sender seems as a regular cell quantity, which will increase supply success and reduces speedy suspicion. (see Determine 2)
Stage 2: Redirect to Fraudulent e-Challan Portal
Clicking the embedded URL redirects the consumer to a phishing area hosted on 101[.]33[.]78[.]145.
The web page content material is initially authored in Spanish and translated to English through browser prompts, suggesting the reuse of phishing templates throughout areas. (see Determine 3)
The Authorities insignia, MoRTH references, and NIC branding are visually replicated. (see Determine 3)
Stage 3: Fabricated Challan Technology
The portal prompts the consumer to enter:
- Automobile Quantity
- Challan Quantity
- Driving License Quantity
Whatever the enter supplied, the system returns:
- A sound-looking challan report
- A modest positive quantity (e.g., INR 590)
- A near-term expiration date
- Distinguished warnings about license suspension, court docket summons, and authorized proceedings
This step is only psychological validation, designed to persuade victims that the challan is legit. (see Determine 4)
Stage 4: Card Knowledge Harvesting
Upon clicking “Pay Now”, victims are redirected to a fee web page claiming safe processing through an Indian financial institution. Nevertheless:
- Solely credit score/debit playing cards are accepted
- No redirection to an official fee gateway happens
- CVV, expiry date, and cardholder identify are collected immediately
Throughout testing, the web page accepted repeated card submissions, indicating that every one entered card knowledge is transmitted to the attacker backend, unbiased of transaction success. (see Determine 5)
Infrastructure Correlation and Marketing campaign Enlargement
CRIL recognized one other attacker-controlled IP, 43[.]130[.]12[.]41, internet hosting a number of domains impersonating India’s e-Challan and Parivahan providers. A number of of those domains observe comparable naming patterns and intently resemble legit Parivahan branding, together with domains designed to appear to be Parivahan variants (e.g., parizvaihen[.]icu). Evaluation signifies that this infrastructure helps rotating, mechanically generated phishing domains, suggesting using area technology methods to evade takedowns and blocklists.
The phishing pages hosted on this IP replicate the identical operational move noticed within the major marketing campaign, displaying fabricated visitors violations with mounted positive quantities, implementing urgency via expiration dates, and redirecting victims to faux fee pages that harvest full card particulars whereas falsely claiming to be backed by the State Financial institution of India.
This overlap in infrastructure, web page construction, and social engineering themes suggests a broader, scalable phishing ecosystem that actively exploits authorities transport providers to focus on Indian customers.
Additional investigation into IP tackle 101[.]33[.]78[.]145 revealed greater than 36 phishing domains impersonating e-Challan providers, all hosted on the identical infrastructure.
The infrastructure additionally hosted phishing pages focusing on:
- BFSI (e.g., HSBC-themed fee lures)
- Logistics corporations (DTDC, Delhivery) (see Figures 7,8)
Constant UI patterns and payment-harvesting logic throughout campaigns
This confirms the presence of a shared phishing infrastructure supporting a number of fraud verticals.
SMS Origin and Telephone Quantity Evaluation
As a part of the continued investigation, CRIL analyzed the originating telephone quantity used to ship the phishing e-Challan SMS. A reverse telephone quantity lookup confirmed that the quantity is registered in India and operates on the Reliance Jio Infocomm Restricted cell community, indicating using a domestically issued cell connection relatively than a world SMS gateway.
Moreover, evaluation of the quantity confirmed that it’s linked to a State Financial institution of India (SBI) account, additional reinforcing the marketing campaign’s use of localized infrastructure. The mixture of an Indian telecom provider and affiliation with a distinguished public-sector financial institution doubtless enhances the perceived legitimacy of the rip-off. It will increase the effectiveness of government-themed phishing messages. (see Determine 9)
Conclusion
This marketing campaign demonstrates that RTO-themed phishing stays a high-impact fraud vector in India, notably when mixed with practical UI cloning and psychological urgency. The reuse of infrastructure throughout authorities, logistics, and BFSI lures highlights a professionalized phishing operation relatively than remoted scams.
As attackers proceed shifting from malware supply to direct monetary fraud, consumer consciousness alone is inadequate. Infrastructure monitoring, area takedowns, and proactive SMS phishing detection are essential to disrupting these operations at scale.
Our Suggestions:
- All the time confirm visitors fines immediately through official authorities portals, not SMS hyperlinks.
- Organizations ought to monitor for lookalike domains abusing authorities and model identities.
- SOC groups ought to monitor shared phishing infrastructure, as takedown of 1 area could disrupt a number of campaigns.
- Telecom suppliers ought to strengthen SMS filtering for monetary and government-themed lures.
- Monetary establishments ought to monitor for card-not-present fraud patterns linked to phishing campaigns.
MITRE ATT&CK® Strategies
| Tactic | Approach ID | Approach Title |
| Preliminary Entry | T1566.001 | Phishing: Spearphishing through SMS |
| Credential Entry | T1056 | Enter Seize |
| Assortment | T1119 | Automated Assortment |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Affect | T1657 | Monetary Theft |
Indicators of Compromise (IOCs)
The IOCs have been added to this GitHub repository. Please evaluation and combine them into your Menace Intelligence feed to boost safety and enhance your total safety posture.
| Indicators | Indicator Sort | Description |
| echala[.]vip echallaxzov[.]vip | Area | Phishing Area |
| echallaxzrx[.]vip | ||
| echallaxzm[.]vip | ||
| echallaxzv[.]vip | ||
| echallaxzx[.]vip | ||
| echallx[.]vip | ||
| echalln[.]vip | ||
| echallv[.]vip | ||
| delhirzexu[.]vip | ||
| delhirzexi[.]vip | ||
| delhizery[.]vip | ||
| delhisery[.]vip | ||
| dtdcspostb[.]vip | ||
| dtdcspostv[.]vip | ||
| dtdcspostc[.]vip | ||
| hsbc-vnd[.]cc | ||
| hsbc-vns[.]cc | ||
| parisvaihen[.]icu | ||
| parizvaihen[.]icu | ||
| parvaihacn[.]icu | ||
| 101[.]33[.]78[.]145 | IP | Malicious IP |
| 43[.]130[.]12[.]41 |
