Threat Research

Fake DigiYatra Website Was Targeting Indian Flyers With Lookalike Portal

admin
Fake DigiYatra Website Was Targeting Indian Flyers With Lookalike Portal

Threat actors are impersonating the Indian government-backed DigiYatra initiative through a fake travel-themed website, digiyatra[.]in, to harvest personal user information under false pretenses. ThreatWatch360 detected and flagged this high-severity phishing site, leading to alerts and takedown efforts coordinated with government agencies. #DigiYatra #ThreatWatch360

Keypoints

  • Threat actors created a phishing website, digiyatra[.]in, impersonating the DigiYatra Foundation to collect personal data such as names, phone numbers, and emails.
  • The fraudulent site mimicked a flight booking platform but did not process any real transactions, serving only to harvest PII.
  • ThreatWatch360’s Early Warning Threat Detection system flagged the domain due to its exact keyword match and suspicious activity.
  • The phishing site was secured with a free Let’s Encrypt SSL certificate, potentially increasing user trust despite being fake.
  • Indicators of compromise include the domain digiyatra[.]in, IP 167[.]172[.]151[.]164, and WHOIS registrant details pointing to a Kerala-based individual.
  • ThreatWatch360 alerted brand protection clients, escalated the issue to CERT-In and government entities, and requested domain takedown.
  • The incident highlights the importance of proactive brand protection and monitoring against impersonation of government-backed digital initiatives.

MITRE Techniques

  • [T1391] Spearphishing via Website – Attackers used a fraudulent website impersonating a trusted government brand to collect personal information, described as “…harvesting user data via a fake travel-themed website…”.
  • [T1078] Valid Accounts – The phishing site lured users into submitting valid personal identifiers such as name, phone, and email to compromise their credentials.
  • [T1586] Compromise Infrastructure – Use of a legitimate-looking SSL certificate from Let’s Encrypt to increase credibility and evade detection.

Indicators of Compromise

  • [Domain Name] malicious phishing site – digiyatra[.]in impersonating DigiYatra Foundation.
  • [IP Address] hosting and direct access – 167[.]172[.]151[.]164 (also accessible at http://167[.]172[.]151[.]164:3000).
  • [WHOIS Registrant] identity – Registered to Ali Sajil, Kerala, India (with privacy details redacted).
  • [SSL Certificate] type – Let’s Encrypt free SSL certificate used to secure the phishing site.

 

Read more: https://threatwatch360.com/blogs/fake-digiyatra-website-targeting-indian

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint