{"id":49192,"date":"2022-11-07T00:00:00","date_gmt":"2022-11-07T00:00:00","guid":{"rendered":"urn:uuid:faf561c7-24bd-eaba-15c8-ed1d1930576b"},"modified":"2022-11-07T00:00:00","modified_gmt":"2022-11-07T00:00:00","slug":"massive-phishing-campaigns-target-india-banks-clients","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/","title":{"rendered":"Massive Phishing Campaigns Target India Banks\u2019 Clients"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-massive-phishing-campaigns-target-india-bank-customers-elibomi-fakereward-axbanker-icrat-icspy.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,cyber crime,phishing,cyber threats,endpoints,mobile,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-11-07\"> <meta property=\"article:tag\" content=\"phishing\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients.html\"> <title>Massive Phishing Campaigns Target India Banks\u2019 Clients<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients.html\"><br \/>\n<meta property=\"og:title\" content=\"Massive Phishing Campaigns Target India Banks\u2019 Clients\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-massive-phishing-campaigns-target-india-bank-customers-elibomi-fakereward-axbanker-icrat-icspy.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Massive Phishing Campaigns Target India Banks\u2019 Clients\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-massive-phishing-campaigns-target-india-bank-customers-elibomi-fakereward-axbanker-icrat-icspy.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.149351394788\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"173024689\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.758389261745\">\n<div class=\"article-details\" role=\"heading\" readability=\"34.912751677852\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Phishing<\/p>\n<p class=\"article-details__description\">We found five banking malware families targeting customers of seven banks in India to steal personal and credit card information via phishing campaigns.<\/p>\n<p class=\"article-details__author-by\">By: Trend Micro <time class=\"article-details__date\">November 07, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.497248968363\">\n<div readability=\"30.637551581843\">\n<p>By Trend Micro Mobile Team<\/p>\n<p>We observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a phishing link. The SMS content urges the victims to open the embedded phishing link or malicious app download page and follow the instructions: To fill in their personally identifiable information (PII) and credit card details to allegedly get a tax refund or credit card reward points. As of this writing, we observed five banking malware families involved in these attacks, namely Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.<\/p>\n<p>We analyzed that the bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers. Common among these routines include the abuse of the legitimate banks\u2019 logos, names, and affiliated brands and services to convince victims that their respective phishing sites are affiliated. This blog entry will discuss three of the identified banking malware families and their latest changes (as <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/09\/21\/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices\/\">IcRAT<\/a> and <a href=\"https:\/\/labs.k7computing.com\/index.php\/targeted-smishing-attacks-on-indian-banking-users\/\">IcSpy<\/a> have been documented): <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-android-malware-targets-taxpayers-in-india\/\">Elibomi<\/a> is an old malware that has evolved into a fully equipped banking trojan, while FakeReward and AxBanker are newly discovered banking trojans. Bank clients are advised to remain vigilant against these kinds of threats, and to protect their information and devices from malware infections.<\/p>\n<p><span class=\"main-subtitle-black\">Elibomi returns with more functions<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure1-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig1-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 1. Timeline of Elibomi variants deployed<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"35.503448275862\">\n<div readability=\"16.765517241379\">\n<p>Elibomi\u2019s first and second variants, \u201cfake certificates\u201d and \u201ciMobile\u201d campaigns, <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-android-malware-targets-taxpayers-in-india\/\">appeared<\/a> towards the end of 2020 and remained active in 2021, designed to steal victims\u2019 PII and credit card information. During the early months of 2022, we observed a phishing campaign dropping a new variant of Elibomi with a package name that ended with \u201ciApp.\u201d From this variant on, the routine changed drastically: the threat actors added automation to workflow tasks via Accessibility permissions such as automated clicking, granting of permissions, and capturing screenshots.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure2-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig2-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 2. Elibomi\u2019s latest variants\u2019 functions<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure3-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig3-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 3. Elibomi\u2019s phishing page harvests the victim\u2019s PII and credit card information<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.755888650964\">\n<div readability=\"20.865096359743\">\n<p>More recently, we found a fourth variant of Elibomi delivered from the same phishing site with a package name ending with \u201ciAssist.\u201d This variant added the cloud-hosted real-time database Firebase as an alternative command and control (C&amp;C) server and an environment check tool called RDVerify for detection evasion. In the next sections, we detail the different commands and functions that the third and fourth variants of Elibomi are capable of, as well as the implications of these updates. It is also worth noting that an update has again been observed in October on the latest iterations, as documented by security researchers from <a href=\"https:\/\/blog.cyble.com\/2022\/10\/27\/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers\/\">Cyble.<\/a><\/p>\n<p><span class=\"main-subtitle-black\"><span class=\"body-subhead-title\">Overview: Elibomi\u2019s automated variants<\/span><\/span><\/p>\n<p>Due to the automated workflow framework of the latest variants, we called the third (\u201ciApp\u201d campaign) and fourth (\u201ciAssist\u201d campaign) automated variants and break down the commands and functions we found from their respective routines.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure4-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig4-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 4. RDVerify workflow<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42\">\n<div readability=\"29\">\n<p><span class=\"body-subhead-title\">Sophisticated command format<\/span><\/p>\n<p>Looking into the routines of the third and fourth variants, Elibomi implements a sophisticated and lengthy command list and has three types of commands to conduct malicious activities: Task command, server command, and auto command. The succeeding section breaks down the three commands we found.<\/p>\n<p><b>Task command<\/b><\/p>\n<p>We found that the task command was the main command among the three, enumerating the specific malicious activities needed in the routine. It is capable of being a recursive command for complex tasks, or a non-recursive command function:<\/p>\n<ol>\n<li>As a non-recursive command: A single command that contains the command name and corresponding operands. This can be split by \u201c:::\u201d to get the sub-terms.<\/li>\n<li>As a recursive command: A combination of non-recursive commands that can be split by \u201c,\u201d or \u201c-\u201d to get non-recursive commands.<\/li>\n<\/ol>\n<p>As an example, should a specific aspect of Elibomi\u2019s routine require unlocking the device without the user becoming aware of it, the malware can use this recursive command to accomplish three tasks: wakeup, remove the screen overlay, and make the gesture combination for the unlock screen pin or pattern.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure5-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig5-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 5. Elibomi task command<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p><b>Server command<\/b><\/p>\n<p>This command returns the execution result to the backend server. For example, \u201cD:::Unlock has been executed &#8211; ##-##\u201d shows and communicates with the server that the task command was able to unlock the device successfully.<\/p>\n<p><b>Auto command<\/b><\/p>\n<p>The auto command plays a vital role in Elibomi\u2019s automated workflow, describing how Elibomi uses <i>Accessibility<\/i> to conduct the malicious behaviors step by step. For example, auto command is responsible for how Elibomi enables the Media Projection automatically. When the attackers get the Accessibility permissions granted and receive the task command <i>MEDIAPROJECTION<\/i>, Elibomi will generate the auto command &lt;SCREENCLICK:Button:start now|ok|accept|allow&gt; to click on \u201cSTART NOW\u201d in the MediaProjection dialog box.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure6-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig6-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 6. Taking screenshots of the victim\u2019s window<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><span class=\"body-subhead-title\">A fully automated malware<\/span><\/p>\n<p>Analyzing the routines that the two latest variants of Elibomi are capable of, this malware can interact with the device\u2019s user interface (UI) automatically without the user knowing. To become a \u201cfully automated malware,\u201d Elibomi will show a message upon launch that pushes the user to enable Accessibility permissions by disguising itself as a Google application. It then proceeds to show a dialog box upon launch as if there is an urgent need to grant Accessibility permissions to push the user to allow the said request.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure7-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig7-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 7. Elibomi requests for the Accessibility permission to proceed with the automated tasks<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The following is the full list of malicious tasks that have been added to Elibomi\u2019s automation workflow in the latest automated variants:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"27.5\">\n<tr>\n<th scope=\"col\">Task<\/th>\n<th scope=\"col\"><b>Related Task Command<\/b><\/th>\n<th scope=\"col\"><b>Related Auto Command<\/b><\/th>\n<\/tr>\n<tr readability=\"7\">\n<td>Get MediaProjection permission<\/td>\n<td>EXECUTORSEQUENCE::: PERMISSIONFOLLOWUP#222#MEDIAPROJECTIONPERMISSION<\/td>\n<td>CLICK:Button:start now|ok|accept|allow:-:-::SCREENCLICK:Button:start now|ok|accept|allow:-:-::CLICK:Button:start now|ok|accept|allow:-:-::SCREENCLICK:Button:start now|ok|accept|allow:-:-<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Allow Write settings<\/td>\n<td>EnableSettingsSequence<\/td>\n<td>fullforwardswipe:Switch:-:-:-::fullforwardswipe:Switch:-:-:-::fullforwardswipe:Switch:-:-:-<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Get SMS-related permissions<\/td>\n<td>EXECUTORSEQUENCE::: PERMISSIONFOLLOWUP#222# SMSPERMISSION<\/td>\n<td>CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Set itself as default SMS app<\/td>\n<td readability=\"5\">\n<p>PERMISSIONS:::REVOKEDEFAULTSMS<\/p>\n<p>STARTSMSSEQUENCE<\/p>\n<\/td>\n<td>CLICK:Button:yes|ok|accept|allow:-:-::SCREENCLICK:Button:yes|ok|accept|allow:-:-::CLICK:Button:yes|ok|accept|allow:-:-::SCREENCLICK:Button:yes|ok|accept|allow:-:-<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Allow Install App from Unkown Source<\/td>\n<td>REQUESTINSTALLPERMISSION<\/td>\n<td>CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Disable battery optimization<\/td>\n<td>IGNORE_BATTERY_OPTIMIZATIONS<\/td>\n<td>CLICK:Button:ok|accept|allow:-:-::SCREENCLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::SCREENCLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-&#8220;<\/td>\n<\/tr>\n<tr readability=\"11\">\n<td>Install additional APK and grant permission for the payload<\/td>\n<td readability=\"7\">\n<p>DOWNLOADAPK<\/p>\n<p>EXECUTORSEQUENCE:::INSTALLAPK<\/p>\n<p>EXECUTORSEQUENCE:::OPENAPPCOMPONENTandGRANTPERMISSIONS<\/p>\n<\/td>\n<td>CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Get all accounts<\/td>\n<td>\n<p>SCREENSHOT<\/p>\n<p>GLOBAL_ACTION_BACK<\/p>\n<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Disable Google Play Protect<\/td>\n<td>DISABLEPLAYPROTECT<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Read or delete emails from Gmail<\/td>\n<td>GMAILSEQUENCE<\/td>\n<td>click:android.widget.Button:Empty:-:-<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Prevent disable Accessibility<\/td>\n<td>GLOBAL_ACTION_BACK<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td>Prevent Uninstall<\/td>\n<td>GLOBAL_ACTION_BACK<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Prevent enabling of Google Play Protect<\/td>\n<td>GLOBAL_ACTION_BACK<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td>Unlock device<\/td>\n<td>WAKEUP<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.333689839572\">\n<div readability=\"25.902673796791\">\n<p>Table 1. List of malicious tasks added to the two latest variants of Elibomi<\/p>\n<p>Elibomi affects Android 12 and lower, and can automatically grant the attackers sensitive permissions, enable\/disable sensitive settings such as enable installation of apps from unknown sources, and disable GooglePlay protect. Android 13 is not affected as Google <a href=\"https:\/\/trendmicro-my.sharepoint.com\/personal\/corinna_estarija_trendmicro_com\/Documents\/2022\/blog\/banks%20phishing%20campaign%20india\/2.%09It%E2%80%99s%20impossible%20to%20have%20another%20video%20of%20android13,%20the%20reference%20link%20for%20Android13%20is%20https:\/blog.esper.io\/android-13-sideloading-restriction-harder-malware-abuse-accessibility-apis\/\">restricts the Accessibility permission<\/a> in the latest version.<\/p>\n<p><span class=\"body-subhead-title\">Overlay mechanisms<\/span><\/p>\n<p>For both iApp and iAssist campaigns, Elibomi implements an overlay by adding a view to the current window as an evasion technique from users, instead of having an overlay on other apps such as bank applications to steal users\u2019 credentials.<\/p>\n<p><b>Wait screen overlay<\/b><\/p>\n<p>In order to evade visual detection from users, Elibomi will show a waiting screen after gaining Accessibility permissions for service. However, it already executes an automated workflow in the background to grant sensitive permissions to the attacker.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure8-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig8-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 8. Wait screen overlay to hide malicious activities in the background<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Elibomi uses another window type called \u201c<i>TYPE_ACCESSIBILITY_OVERLAY<\/i>\u201d instead of request \u201c<i>SYSYTEM_ALERT_WINDOW<\/i>\u201d permission to add an additional view to the current window.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure9-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig9-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 9. Create layout with type \u201cTYPE_ACCESSIBILITY_OVERLAY\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><b>Fake pin overlay<\/b><\/p>\n<p>To unlock the device automatically, Elibomi is capable of stealing the pin code or pattern saved by the user by showing an overlay screen to the victim and \u201clistening\u201d for the user\u2019s actions to record their gestures and clicks.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure10-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig10-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 10. Touch Listener code to record the victim\u2019s actions observed from Elibomi\u2019s third variant<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.480093676815\">\n<div readability=\"11.634660421546\">\n<p><span class=\"body-subhead-title\">Not just Android<\/span><\/p>\n<p>From our scanning online, we <a href=\"https:\/\/twitter.com\/akhilavk\/status\/1428766199576350721\">found<\/a> the cybercriminals extending their phishing campaign not only on Android but have also ventured to other platforms such as email. Comparing <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-android-malware-targets-taxpayers-in-india\/\">previous<\/a> phishing sites, it appears that they have created different themes to induce victims to fill in their sensitive information. The type of stolen data is nearly the same as what they require users to put on the Android platform.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure11-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig11-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 11. More recent phishing websites urging victims to download the iAssist app <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><span class=\"body-subhead-title\">\u201ciAssist\u201d campaign as a fast-evolving Elibomi variant for more profit<\/span><\/p>\n<p>In the fourth variant, we noted one interesting task added to their automated workflow. While the Accessibility permission detects the <i>payment risk<\/i> notification string that sends the message \u201ccontinuing to pay may cause loss of money\u201d to appear on the UI, it will click on \u201cIgnore risk\u201d to dismiss the alert dialog. This warning usually appears if there is a risk of payments or transfers occurring while using a bank app, and can indicate that the cybercriminals behind this malware can consistently update or enhance Elibomi to automatically conduct money transfers from the victim\u2019s device without them noticing.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure12-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig12-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 12. Elibomi capable of clicking \u201cIgnore risks\u201d button automatically<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.701388888889\">\n<div readability=\"13.675925925926\">\n<p><span class=\"main-subtitle-black\">FakeReward: Targeting three banks\u2019 customers in India<\/span><\/p>\n<p>In August, we found a campaign we named <a href=\"https:\/\/twitter.com\/TrendMicroRSRCH\/status\/1565595390463950850\">FakeReward<\/a> targeting customers of three of the largest banks in India wherein the threat actors registered several domains similar to the legitimate domains to confuse victims. These phishing websites were pretending to be the official websites of these three banks, even abusing the companies\u2019 names and logos to complete their look.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure13-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig13-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 13. FakeReward\u2019s phishing websites target customers of three specific banks in India<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.056689342404\">\n<div readability=\"11.482993197279\">\n<p>The FakeReward banking trojan shows a page to request SMS permissions upon launching. Once granted, the malware will collect all text messages to the device and upload it to a remote server, then set up a monitor to listen to incoming SMS messages and sync it to the remote server. We released an initial <a href=\"https:\/\/twitter.com\/TrendMicroRSRCH\/status\/1565595390463950850\">social media thread<\/a> on the said campaign to warn security teams and their respective bank customers to be vigilant against this malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure14-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig14-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 14. Requests SMS permissions and collects PII and credit card information<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><span class=\"body-subhead-title\">Latest changes<\/span><\/p>\n<p>In its recent update, FakeReward malware tries to request a notification permission to extract text messages instead of directly requesting access for SMS permissions.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure15-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig15-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 15. Request notification permission as seen by the user (left), and the code to parse the notification (right)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.985697258641\">\n<div readability=\"21.134684147795\">\n<p>Security researchers from <a href=\"https:\/\/labs.k7computing.com\/index.php\/smsthief-targets-indian-banking-users\/\">K7 Security Labs<\/a> and <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1586322708874203137\">MalwareHunterTeam<\/a> have also found samples of at least five other FakeReward variants. We noted the increase in the number of families and variants of FakeReward malware targeting users in India that appear the same when examined using tactics, techniques, and procedures (TTPs) but show differences in codes. Trend Micro customers are protected from all these emerging phishing families and variants.<\/p>\n<p><span class=\"main-subtitle-black\">Potential connection between FakeReward and IcRAT<\/span><\/p>\n<p>During our investigation, we found an interesting coincidence: FakeReward and IcRAT started targeting the customers of one bank nearly at the same time. Moreover, we also found the phishing websites of these two malware families to be nearly similar, making us believe that the cybercriminals behind these two malware families are connected.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure16-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.png\" alt=\"fig16-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 16. Tracking FakeReward and IcRAT (Screenshot taken from VirusTotal)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure17-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig17-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 17. Phishing site of IcRAT<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.791878172589\">\n<div readability=\"12.53807106599\">\n<p><span class=\"main-subtitle-black\">AxBanker: Fake app targeting bank\u2019s customers<\/span><\/p>\n<p>In addition to FakeReward banking malware targeting the customers of two banks, we also found another <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1567880670612955136\">banking trojan<\/a> targeting the customers of another major Indian bank that has been active since late August. The website has a similar phishing theme wherein customers \u201cGet Reward Points\u201d to attract victims to download and install the app.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure18-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig18-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 18. AxBanker phishing website pretending to be an offer from a major bank<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Once the malware is installed and launched, it will request SMS permissions in order to capture and upload incoming SMS to a remote server. The malware will then show several fake pages to collect the victim\u2019s personal data and credit card information.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/Figure19-phishing-campaigns-target-india-banks-clients-elibomi-fakereward-axbanker.jpg\" alt=\"fig19-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy\"><figcaption>Figure 19. AxBanker malware harvests the victim\u2019s personal data and credit card information<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.241046277666\">\n<div readability=\"36.38953722334\">\n<p><span class=\"main-subtitle-black\">Conclusion<\/span><\/p>\n<p>While the types of stolen data and phishing themes are similar, we don\u2019t have enough evidence to conclude that the cybercriminals behind all of these banking malware families are connected but are aggressive in developing further. In the case of the threat actors behind Elibomi, these cybercriminals are likely knowledgeable and adept in Android development based on the automation of tasks pertaining to Accessibility permissions. Meanwhile, the threat actors behind FakeReward appear to have deployed phishing malware prior to this campaign based on their capability of hiding their tracks: the phishing domains used operate for only three to four days at a time before becoming inaccessible. In addition, a quick scan shows that only a few security engines have been able to pick up on its new variant.<\/p>\n<p>Our monitoring also shows that while no other customers outside India have been targeted by these malware families, phishing campaigns in the country have significantly increased and are increasingly becoming adept at detection evasion. One possible reason for this uptick is the growing number of new threat actors entering the India underground market, bringing with them profitable business models, and interacting with other malicious players to learn, exchange ideas from, and establish connections. Users and bank customers are advised to remain vigilant and follow these best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Check the text message\u2019s sender. Legitimate companies and organizations have official contact channels from where they send notifications and promotions.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Do not download and install applications from unknown sources. Choose to download the official bank apps from official platforms.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Do not enter sensitive personal information in untrusted apps or websites. Contact banks and organizations through their known channels to ask if they have ongoing promotions or announcements like the message received.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Double check the dialog boxes\u2019 requests and messages before granting sensitive permissions such as Accessibility to untrusted apps.<br \/><\/span><\/li>\n<\/ul>\n<p><span class=\"main-subtitle-black\">Trend Micro solutions<\/span><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/forHome\/products\/mobile-security.html\">Trend Micro Mobile Security Solutions<\/a> can scan mobile devices in real time and on demand to detect malicious apps, sites, or malware to block or delete them. These solutions are available on Android and iOS, and can protect users\u2019 devices and help them minimize the threats brought by these fraudulent applications and websites.&nbsp;<\/p>\n<p><span class=\"main-subtitle-black\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>For a full list of the IOCs, find it <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients\/IOCs2-massive-phishing-campaign-target-India-banks-customers.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/massive-phishing-campaigns-target-india-banks-clients.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We found five banking malware families targeting customers of seven banks in India to steal personal and credit card information via phishing campaigns. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":49193,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9513,9581,9577],"class_list":["post-49192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-mobile","tag-trend-micro-research-phishing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Massive Phishing Campaigns Target India Banks\u2019 Clients 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Massive Phishing Campaigns Target India Banks\u2019 Clients 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-07T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-massive-phishing-campaigns-target-india-bank-customers-elibomi-fakereward-axbanker-icrat-icspy.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Massive Phishing Campaigns Target India Banks\u2019 Clients\",\"datePublished\":\"2022-11-07T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/\"},\"wordCount\":2685,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/massive-phishing-campaigns-target-india-banks-clients.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Mobile\",\"Trend Micro Research : Phishing\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/\",\"name\":\"Massive Phishing Campaigns Target India Banks\u2019 Clients 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/massive-phishing-campaigns-target-india-banks-clients.png\",\"datePublished\":\"2022-11-07T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/massive-phishing-campaigns-target-india-banks-clients.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/massive-phishing-campaigns-target-india-banks-clients.png\",\"width\":1459,\"height\":834},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/massive-phishing-campaigns-target-india-banks-clients\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Massive Phishing Campaigns Target India Banks\u2019 Clients\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Massive Phishing Campaigns Target India Banks\u2019 Clients 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/","og_locale":"en_US","og_type":"article","og_title":"Massive Phishing Campaigns Target India Banks\u2019 Clients 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-11-07T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-massive-phishing-campaigns-target-india-bank-customers-elibomi-fakereward-axbanker-icrat-icspy.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Massive Phishing Campaigns Target India Banks\u2019 Clients","datePublished":"2022-11-07T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/"},"wordCount":2685,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/massive-phishing-campaigns-target-india-banks-clients.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Mobile","Trend Micro Research : Phishing"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/","url":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/","name":"Massive Phishing Campaigns Target India Banks\u2019 Clients 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/massive-phishing-campaigns-target-india-banks-clients.png","datePublished":"2022-11-07T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/massive-phishing-campaigns-target-india-banks-clients.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/massive-phishing-campaigns-target-india-banks-clients.png","width":1459,"height":834},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/massive-phishing-campaigns-target-india-banks-clients\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Massive Phishing Campaigns Target India Banks\u2019 Clients"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49192"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49192\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49193"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}