The festival season is the season of the con as well. Have you been promised gifts and prizes, including money, while shopping online? Don't fall for them.
The Indian Computer Emergency Response Team (CERT-In) has warned that users are being targeted through fake messages that claim festive offers, which then leads users to Chinese websites that can steal sensitive details such as bank account details, passwords and OTPs.
"Fake messages are in circulation on various social media platforms (WhatsApp, Telegram, Instagram, etc), that falsely claim a festive offer luring users into gift links and prizes," an October 18 advisory by CERT-In said.
"The threat actor is mostly targeting women and asking to share the links among peers over WhatsApp/Telegram/Instagram accounts," it added.
How does it work?
CERT-In said the victim receives a message with a link to a website modelled after websites of popular brands.
The national agency for cybersecurity said many of the websites where users were being led, had Chinese (.cn) domains. Other extensions include, .top and .xyz.
On the website, the user is asked to fill up a questionnaire with the false claim of securing a chance to win money and prizes.
"The attackers entice the users to give sensitive information like personal details, bank account details, passwords, OTPs or use it for adware and other adversarial purposes," the advisory read.
After that, the website claims that a user has won a prize and asks them to share the website link with others through WhatsApp.
"The malicious link may further result in large-scale attacks and financial frauds," the advisory added.
Averting such scams
CERT-In urged users to not browse untrusted websites or click on un-trusted links.
"Exercise due care before clicking on link provided in the message. Only click on URLS that clearly indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate," the agency recommended.
It said that legitimate organisations would never ask for login credentials or credit card information by email or SMS.
"Keep personal information private. Threat actors can use social media profiles to gather information and make targeted attack against you," the advisory read.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
