Received link to a ‘Diwali gift'? It could be a Chinese phishing attack
The Computer Emergency Response Team, a nodal agency under the ministry of electronics and information technology, has issued a warning to users against phishing attacks this Diwali.
The Centre has warned users against a malicious festival-themed campaign targeting Indian customers in the form of suspicious links to Diwali gifts and prizes. The Indian Computer Emergency Response Team, a nodal agency under the ministry of electronics and information technology (MEITY), has said that fake messages are in circulation on social media platforms like WhatsApp, Telegram and Instagram etc that are falsely claiming to have a festive offer luring users into gift links and prizes.
The CERT-IN warned that the threat actor is targeting women and asking them to share links among peers over their social media accounts. The central team has detailed the modus operandi of these malicious actors duping users during the festive season.
According to CERT-IN, the user receives a message containing a link to a phishing website similar to that of popular brands.
“The customer will be lured with a false claim of a special festive offer on answering a questionnaire through which one can win money and prizes. The attackers entice the users to give sensitive information like personal details, bank account details, passwords, OTPs, or use it for adware and other adversarial purposes”, the advisory stated.
The CERT-In pointed that the website links involved are mostly Chinese domains (.cn), and other extensions like .top, .xyz. These attack campaigns can effectively jeopardise the privacy and security of sensitive customer data and result in financial frauds.
The Centre has also shared a list of Do's and Don'ts for users.
1. Do not browse untrusted websites or click on untrusted links and exercise caution while clicking on any link in unsolicited emails or messages.
2. Only click on URLs that clearly indicate the website's domain. When in doubt, search for the organisation's official website directly using search engines to verify if the websites they visited are legitimate.
3. Legitimate organisations will never ask for login credentials or credit card details through emails or SMSes. If you receive such a message, then you are definitely dealing with a threat actor.
4. Look for suspicious numbers that don't look like mobile numbers. The scammers usually hide their mobile numbers by using email to text services.
5. Keep your personal information private. Make sure that passwords are strong and personal information is not shared with anyone.
6. Download apps from only verified app stores.