Scammers exploit Raksha Bandhan with phishing messages, fake e‑commerce sites, fraudulent delivery alerts, UPI payment traps, and impersonation tactics to steal money and credentials. Cloudsek’s investigation links a campaign using phishing kits, spoofed domains, and a suspected operator identified as Shyam Saini. #Cloudsek #ShyamSaini
Keypoints
- Fraudsters run Rakhi-themed phishing across SMS, WhatsApp and social media claiming gifts, huge discounts, or delayed deliveries to lure victims into clicking malicious links.
- Attackers exploit URL masking (using the “@” symbol) and cloned websites to redirect users to malicious .cyou or similarly spoofed domains that harvest payment details.
- Fake shopping pages and sponsored ads redirect users to scam sites (e.g., rakshabandhanoffer.in.net/RakhiOff/) that capture payment information or host phishing kits.
- UPI-based scams and fake gift-card pages prompt users to approve payments or enter UPI codes; researchers recovered a linked UPI ID and business name tied to the campaign.
- Threat actors also use emotional impersonation and fake customer‑support tactics (including screen-sharing/video calls) to trick victims into revealing OTPs or installing malicious apps.
- Cloudsek traced infrastructure and a suspected actor (Facebook profile for Shyam Saini) and found phishing kit artifacts (e.g., Giftcard as PM.zip / PM.zip) on impersonating domains.
MITRE Techniques
- [T1566 ] Phishing – Attackers used phishing messages via email/SMS/WhatsApp to trick recipients into clicking malicious links and forms (‘Your Rakhi gift is on the way’ or advertise amazing Rakhi sale coupons).
- [T1566.002 ] Phishing: Link – Malicious links in messages and ads redirected users to phishing pages and malicious domains (example: URLs with ‘ecom.com@’ that lead to a .cyou webpage) (‘most browsers ignore everything before the “@” symbol… they are being redirected to a potentially malicious website’).
- [T1204 ] User Execution – Victims were induced to click links, tap QR codes, or approve UPI prompts which resulted in transfers or malware installation (‘Clicking or responding can lead to malware on your phone or theft of payment data’).
- [T1189 ] Drive-by Compromise – Malicious webpages and redirected ad links hosted phishing kits and payloads that could deliver malware or initiate payment theft when visited (‘link capable of delivering malware to your device or stealing your payment information’).
- [T1036 ] Masquerading – Clone sites and fake social pages mimicked legitimate brands and courier services with minor typos or spoofed domains to deceive users (‘clone sites often mimic real brands but have spelling errors or strange URLs’).
- [T1113 ] Screen Capture – Scammers persuaded victims to share screens in video calls under the guise of customer support to capture OTPs or payment information (‘insisting she share her screen… planned to push a malicious app prompt and capture her OTP’).
Indicators of Compromise
- [Domain ] impersonating Raksha Bandhan offers – rakshabandhanofer.xyz, rakshabandhanoffer.in.net/RakhiOff/ (and other scam domains redirecting to phishing pages)
- [UPI ID ] scam payment identifier tied to campaign – 34161FA82032*AA2D24E6B40@mairtel (linked to business name “udayrajkiranastore”)
- [File name ] phishing kit/archive hosted on impersonating domain – ‘Giftcard as PM.zip’ / ‘PM.zip’ (phishing kit used to build gift-card scam pages)
- [Social profile URL ] suspected threat actor profile used in OSINT – https://www.facebook.com/shyam.saini.263528 (profile connected to the discovered UPI/payment code)
- [Malicious TLD/context ] URL masking technique and deceptive TLDs – examples include attacker-controlled .cyou domains and URLs using the “@” trick (e.g., [email protected])