Fake IRCTC app and 5 other big online scams internet users are losing money to, warn researchers

As digital fraud increase, global cybersecurity solutions provider Quick Heal Technologies has shared an advisory detailing several sophisticated cyber threats that are currently targeting consumers. As the digital landscape evolves, cybercriminals are adapting their tactics, exploiting various platforms and events to defraud unsuspecting users. Researchers at Seqrite Labs have identified some key digital fraud trends.

Banking reward apps

Cybercriminals are employing sophisticated social engineering tactics to trick users into downloading malicious APK files.These scams often create a false sense of urgency with messages like “Available only for today” or “Last day!” They offer enticing rewards such as “Sign up now to enjoy free gift worth $$$” or use fear tactics with messages like “Your account has been blocked due to KYC update”.
The impact of these scams can be severe, including monetary loss, theft of personal data, phishing of bank credentials, and unauthorized transactions. Attackers may gain control over the victim’s device, potentially leading to further exploitation.

Fake IRCTC app

A sophisticated spyware masquerading as the official IRCTC app has been detected. This malicious application can steal Facebook and Google account credentials, extract codes from Google Authenticator, track GPS and network location, and even record and send videos using the device’s camera. The app gathers information about installed applications and sends collected data to a command and control (C2) server.

Festival-related frauds: Be careful of links related to Diwali, Dussehra, and Christmas targeting shoppers

With major festivals like Diwali, Dussehra, and Christmas approaching, Quick Heal has identified a significant uptick in cybercriminal activities targeting shoppers. These scams involve the creation of fake domains impersonating legitimate shopping websites, such as “shoop.xyz” mimicking “shop.com”. Cybercriminals distribute malicious links disguised as special festival gifts via WhatsApp, SMS, and email, often using short URLs to hide the original malicious links.
Victims who click on these links are presented with forms requesting personal details and access to contacts, messages, and call records. The scammers create a false sense of urgency, prompting users to share the message with friends or groups to claim their “special Diwali gift”.

Gift card scams

Scammers are targeting e-commerce customers with fake messages claiming they have won prizes or gift cards. These frauds typically use SMS, email, or social media platforms to distribute messages with text like “Dear customer, congratulations! You have won…” Users are prompted to click on links to claim free gifts or gift cards, which redirect them to malicious sites that harvest personal information.

Income Tax refund scam

A new fraud scheme involves contacting individuals about supposed tax refunds. The scam uses SMS, WhatsApp, or email to reach potential victims, urging them to update their account details for receiving a refund. Messages often include text like “Your income tax refund of Rs. XXXX has been approved. Please verify your account number XXXX.” This can lead to unauthorized access and draining of victims’ accounts.

QR Code Phishing

A new phishing methodology exploits the widespread use of QR codes. This threat involves sending malicious QR codes via text messages, social media apps, or email. When scanned, these codes direct users to fake websites that appear legitimate but are designed to steal personal and financial information. In some cases, scanning these QR codes may result in malware downloads that compromise the user’s device.