A classy phishing marketing campaign focusing on PNB MetLife insurance coverage clients has surfaced, deceiving victims by faux fee gateway pages that steal private info and redirect them to fraudulent UPI transactions.
The rip-off exploits the trusted fame of PNB MetLife by creating convincing mobile-optimized fee portals that mimic respectable premium fee providers.
These malicious pages settle for coverage numbers and buyer particulars with none validation, instantly forwarding captured information to attackers by automated channels.
The phishing operation spreads primarily by SMS messages, although electronic mail and social media platforms can also function distribution channels.
When victims land on these faux fee gateways, they encounter professionally designed interfaces requesting fundamental info reminiscent of identify, coverage quantity, and cell quantity.
The pages intentionally keep away from backend verification, accepting arbitrary values to take care of the phantasm of legitimacy whereas conserving victims engaged within the fraudulent fee movement.
Safety researcher Anurag Gawande recognized a number of variants of this phishing scheme whereas conducting threat-hunting actions. His investigation revealed that attackers deployed these pages throughout free internet hosting platforms, significantly EdgeOne Pages, enabling fast deployment and rotation of malicious websites.
The marketing campaign demonstrates a transparent evolution in monetary fraud ways, shifting past easy credential theft to multi-stage operations that mix information exfiltration with direct fee manipulation.
The assault begins innocuously however shortly escalates as victims progress by seemingly respectable fee steps. As soon as preliminary particulars are captured, the phishing web page transitions to a fee quantity assortment stage earlier than introducing UPI-based fee mechanisms.
This gradual development builds false confidence whereas systematically harvesting totally different layers of data from unsuspecting clients.
What makes this risk significantly harmful is its use of actual fee functions to finish fraudulent transactions.
Somewhat than relying solely on faux fee processors, the scheme leverages respectable UPI apps like PhonePe, Paytm, and Google Pay, considerably lowering sufferer suspicion whereas rising the chance of profitable monetary theft.
Stealthy Information Theft By means of Telegram Infrastructure
Behind the polished interface lies a complicated information exfiltration mechanism powered by Telegram Bot API.
When victims submit their info, the phishing web page silently transmits captured particulars on to attacker-controlled Telegram channels as a substitute of any respectable fee backend.
This real-time information theft happens invisibly, with hardcoded bot tokens and chat IDs embedded inside the web page’s JavaScript code.
Faux PNB MetLife Fee Gateway (Supply – Malwr-Evaluation)
Investigation into the phishing infrastructure uncovered a number of Telegram bots and operator accounts coordinating the fraud.
Bots named “pnbmetlifesbot” and “goldenxspy_bot” acquire sufferer submissions, whereas accounts reminiscent of “darkdevil_pnb” and “prabhatspy” monitor and obtain stolen info.
The stolen information consists of names, coverage numbers, and cell numbers, all transmitted immediately as victims full every kind subject.
After preliminary information seize, the web page requests fee quantities with out performing any coverage validation, accepting any worth entered earlier than forwarding this info to the identical Telegram channels.
Telegram bot accounts receiving stolen buyer information (Supply – Malwr-Evaluation)
The phishing movement then introduces urgency by countdown timers and QR code shows, pressuring victims to finish UPI funds shortly.
The JavaScript generates UPI fee URIs dynamically, rendering them as scannable QR codes that direct funds to attacker-controlled accounts.
Extra regarding is the clipboard abuse approach employed when victims choose fee app buttons.
Clicking PhonePe or Paytm buttons silently copies the fraudulent UPI ID to the system clipboard earlier than redirecting to the respectable fee app, guaranteeing the attacker’s fee particulars are prepared to stick even when victims ignore the QR code.
UPI fee redirection web page with QR code (Supply – Malwr-Evaluation)
Superior variants of this phishing marketing campaign escalate past easy fee fraud into complete banking credential harvesting.
These refined templates supply a number of choices together with “Replace Quantity,” “Refund Your Quantity,” and “Add AutoDebit System,” creating the phantasm of respectable coverage servicing.
When victims choose these choices, they ultimately encounter pages requesting full checking account particulars and debit card info, together with card numbers, expiry dates, and CVV codes.
All submitted monetary credentials are exfiltrated by the identical Telegram infrastructure, reworking the operation from fee fraud into full-scale identification and monetary information theft.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
