A large-scale phishing and scam operation spanning over 200 phishing and scam sites has duped visitors into providing personal information to phony investment schemes masquerading as legitimate firms. The fraudulent scheme uses Google Ads and SEO to direct victims to hundreds of fake websites aimed at an Indian audience.
CloudSEK, a Singaporean security firm, discovered the effort. According to researchers Ankit Dobhal and Aryan Singh, the campaign has resulted in up to $1,000,000 in cash losses from tens of thousands of victims.
India’s government has lately implemented favorable regulations to encourage the country’s EV (electric vehicle) sector to expand. The Indian EV market is expected to develop at a 90 percent compound annual growth rate (CAGR) by the end of the decade, making it a $200 billion industry. Over 400 electric vehicle startups have debuted in the country, and major automotive corporations are rapidly expanding their operations in the growing industry.
Scammers have identified these conditions as fertile ground for deception, with an avalanche of websites aiming to capitalize on the unexpected surge peaking in August 2021 and continuing in huge numbers today. Furthermore, CloudSEK claims to have noticed a shift in phishing perpetrators’ focus around that time, with EV themes replacing banking and financial lures.
By misusing Google Ads, loading their fraudulent sites with keywords, and imitating well-known companies like Revolt and Ather, the threat actors assure a continual stream of prospective victims. In many circumstances, the malicious actors replicate the actual site’s content, design, layout, and pictures to make clones. In other situations, the scammers create wholly fake markets using general terms like “ebike” to ostensibly offer items from a variety of manufacturers.
Visitors to these websites are urged to register on the platforms by providing their complete names, phone numbers, email addresses, and physical locations. The fraudsters then ask customers to pay the cost to become an EV dealer or buy a product on the site once they have finished the registration. Unfortunately, the victims are also providing the fraudsters with their banking/payment information at this point.
“They (scammers) register a large number of domains and keep some of them parked for use in the future,” clarifies the CloudSEK report. “Hence, if active domains are reported or taken down, they can use the parked domains to continue running the campaign.”
The researchers assessed the overall financial losses to be INR40-80 million ($500,000 – $1,000,000) based on the number of people registered on these sites every day. Here is a list of the top 100 scam domains. The remaining 100 domains haven’t been released as per the impacted EV dealer’s request, who is imitated by all of them.