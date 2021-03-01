Reprsentative Image

An investigation carried out by a Delhi based think tank reveals a phishing attack in which multiple users of State Bank of India (SBI) were targeted. The users were spammed with suspicious texts, requesting them to redeem their SBI credit points worth Rs 9,870, reported IANS.

Along with the message was a link, which when clicked takes you to a page where you need to fill a form-'State Bank of India Fill Your Details'. The form asks for personal information- name, registered mobile number, email, email password, date of birth.

It also asks for sensitive financial details like card number, expiry date, CVV and Mpin. After the form is submitted, the user is directed to a "thank you" page.

CyberPeace Foundation, the think tank and Autobot Infosec Private Ltd carried out an investigation which revealed multiple details to prove that the entire thing is a phishing attack.

Firstly, the website collects data directly without any verification and is registered by a third party instead of having the registrant organisation name of State Bank of India, making it all the more suspicious.

"Moreover, according to SBI, they never communicate with their customers via SMS or emails containing links with regard to the user's account. Any reputed banking entity also does not use Wordpress like CMS technologies on their official website for security reasons," the foundation said.

"The domain name of the website can be traced to India, and the registrant state was found to be Tamil Nadu," the report mentioned.

According to the report, errors were noticed in the source code of fields like the 'registered mobile number field'. It should only accept numerical values but was also accepting text input. The same was confirmed from the source code, where the input type for the field is mentioned as 'text' instead of 'number' or 'tel'.

"The email password field shows the entered password in clear text instead of keeping the characters hidden. A similar source code observation is noted," it added.

"The card number field accepts an infinite number of digits instead of only 16 digits, which SBI cards usually have. All these instances of negligence clearly indicate bad coding practice," the foundation said.