As businesses and individuals moved online, cyber criminals and fraudsters were able to hone in their skills and target a wider range of people and organisations in the wake 0f the COVID-19 pandemic. While the number of cyber attacks on organisations increased
in 2020, particularly for banks and payments companies, the number of individuals who have fallen prey to payment frauds through phishing has also increased.
According to information given in Parliament
by the Ministry of Electronics and Information Technology (MEITY) in September, the Computer Emergency Response Team (CERT-IN) had reported 696,938 cyber security incidents between January to August 2020 compared to 394,456 incidents in the entirety of 2019. In fact, India experiences 375 cyber attacks on a daily basis as per Lt. Gen. (retd.) Rajesh Pant, National Cyber Security Coordinator, according to a PTI report.
At first, cyber criminals were able to exploit the fear and panic that ensued in the wake of the nationwide lockdowns by targeting consumers with offers on medical equipment and pharmaceuticals. Later, as the government began to open its coffers to provide relief funds to citizens and the Reserve Bank of India (RBI) introduced a loan moratorium, fraudsters were able to tap into these themes in order to exploit unsuspecting customers. They also targeted the PM CARES COVID-19 relief fund by creating fake Unified Payments Interface (UPI) handles.
Major cyber security incidents in 2020
While fraudsters use phishing and social engineering tactics to dupe customers into sending money to them by posing as legitimate organisations or merchants, the number attacks on institutions has increased in the wake of the pandemic. As more people worked from home, perhaps on unsecured home networks, it became easier for hackers and cyber criminals to target these employees in order to gain access to an organisations’ network. Some of the major cyber security incidents involving payments or banking services entities include:
- January 2020: Currency-exchange provider, Travelex, targeted with a ransomware called Sodinoxbi. While the attackers demanded $6 million from the company, Travelex decided to shut its operations in 30 countries.
- February 2020: Hackers sent malicious files through phishing emails which posed as official communication from the Income Tax Department
- Personal details such as names, phone numbers, email addresses and dates of birth of more than 1.2 million SpiceJet passengers
- Motorcyles company Royal Enfield exposed a database of at least 452,000 people in January 2020, which included their names, e-mail IDs, phone numbers, encrypted passwords, vehicle-related information and social media links
- March 2020: Gang in Mumbai was apprehended after creating 4,000 fake FASTags to claim refunds worth ₹20 crore, which were siphoned to multiple accounts
- April 2020: Fake UPI was created with a similar name to the official UPI handle for PM CARES fund
- June 2020: ThreatLabZ finds instances of targeted attacks on government and banking organisations. An email with an attached file, with a malware, was sent to the RBI, IDBI Bank, the Department of Refinance (DOR) within the National Bank for Agriculture and Rural Development
- Quick Heal Security Labs finds a spear-phishing email campaign targeting co-operative banks stating that the RBI has issued new guidelines which the recipient should download via an email attachment
- Central Bureau of Investigation warns states about Cerebrus, a trojan that sends links to smartphone users in order o steal details of credit card and other financial information from the phone, as well as capture two-factor authentication details
- CERT-IN issues an advisory on EventBot, a mobile banking malware which steals users’ data from financial applications. Through third-party applications the malware downloads on to victim’s device and masquerades as a legitimate application. It is designed to target over 200 different financial applications including banking applications, money transfers and wallets
- Over 7 million records of BHIM UPI app users were breached, including scans of Aadhaar cards, caste certificates, proof of residence, PAN cards, professional certificates and degrees
- July 2020: Small and Medium Enterprises which recently moved to the online world are more vulnerable to cyber security attacks since they do not have the necessary software tools to thwart such attacks.
- Hyperlocal delivery platform Dunzo’s database with users’ phone numbers and email addresses was breached by an attacker, though the company says that database had no payment information such as credit card numbers
- August 2020: CERT-IN issues an alert about a credit card skimmer that targets Microsoft ASP.Net Sites. This skimmer is designed to extract credit card numbers and passwords
- CERT-IN issues a warning about a new banking malware called BlackRock. The malware mimics Google updates and asks the user for for elevated system privileges and evades antivirus applications
- Ticketing and travel website RailYatri has suffered a massive data breach, exposing personal details of an estimated 700,000 individuals
- September 2020: The United States’ Department of Justice charged five Chinese nationals for hacking institutions in India and abroad. The attackers have allegedly e installed ‘Cobalt Strike Malware’ on Indian government networks and have compromised the websites of several government organisation and stolen software data and business intelligence
- November 2020: Data of over 2 crore BigBasket users, including their names, email IDs, password hashes, pin, and contact numbers, among others, was leaked and is being sold on the dark web
- December 2020: According to Crowdstrike’s ‘2020 Global Cyber Security Attitude Survey, ransomware attacks have had a significant impact on Indian businesses during the last year, with more than one-third of companies paying the attackers between $ 1 million to $ 2.5 million to recover their data and regain system access
- Sensitive card data belonging millions of Indians has been compromised and leaked on the dark web due to a security comprise at a server used by Juspay
Techniques used by cyber criminals targeting individuals
- Fake websites and illegitimate seller accounts on e-commerce websites marketing healthcare and pharmaceutical products
- Phishing tactics to get customers to pay a fee to avail the loan moratorium
- Fake UPI IDs were created so that customers send money to the wrong account
- Fraudsters create fake websites and use phishing attempts to sell insurance policies at
In light of these rising incidents of frauds, in June last year the RBI issued a notification to payment system operators to improve public awareness about frauds and use multi-lingual messages to educate customers. “Inspite of these initiatives, incidence of frauds continue to bedevil digital users, often using the same modus operandi users were cautioned about, such as luring them to disclose vital payment information, swapping sim cards, opening links received in messages and mails, etc. There are also cases of users being tricked into downloading spurious apps that access critical information stored on devices. It is, therefore, essential that all payment systems operators and participants – banks and non-banks – continue and reinforce efforts to spread awareness about digital safety,” it said.
- ‘National Cyber Security Strategy will have framework for cyber insurance’: Rajesh Pant
- PCI-DSS standards to focus on cloud, mobile and contact less payments
- RBI to introduce ‘Digital Payment Security Controls’ guidelines
- ‘National Cyber Security Strategy awaiting cabinet nod, will hopefully be released in October’: Rajesh Pant