Sophisticated Phishing Scam Targets PNB MetLife Customers with Fake Payment Gateways
A sophisticated phishing campaign has emerged, specifically targeting customers of PNB MetLife insurance. This scheme employs counterfeit payment gateway pages designed to steal personal information and redirect victims to fraudulent Unified Payments Interface (UPI) transactions.
Exploiting Trust Through Deceptive Portals
The attackers have crafted mobile-optimized payment portals that closely mimic PNB MetLife’s legitimate premium payment services. These fraudulent pages accept policy numbers and customer details without any validation, immediately transmitting the captured data to the attackers via automated channels.
Distribution Channels and User Interaction
The phishing operation primarily spreads through SMS messages, though email and social media platforms may also serve as distribution channels. Upon accessing these fake payment gateways, victims encounter professionally designed interfaces requesting basic information such as name, policy number, and mobile number. Notably, these pages deliberately avoid backend verification, accepting arbitrary values to maintain the illusion of legitimacy while keeping victims engaged in the fraudulent payment flow.
Discovery and Technical Insights
Security researcher Anurag Gawande identified multiple variants of this phishing scheme during threat-hunting activities. His investigation revealed that attackers deployed these pages across free hosting platforms, particularly EdgeOne Pages, enabling rapid deployment and rotation of malicious sites. This campaign signifies an evolution in financial fraud tactics, moving beyond simple credential theft to multi-stage operations that combine data exfiltration with direct payment manipulation.
Progression of the Attack
The attack begins innocuously but quickly escalates as victims progress through seemingly legitimate payment steps. Once initial details are captured, the phishing page transitions to a payment amount collection stage before introducing UPI-based payment mechanisms. This gradual progression builds false confidence while systematically harvesting different layers of information from unsuspecting customers.
Leveraging Legitimate Payment Applications
A particularly dangerous aspect of this threat is its use of real payment applications to complete fraudulent transactions. Instead of relying solely on fake payment processors, the scheme leverages legitimate UPI apps like PhonePe, Paytm, and Google Pay. This approach significantly reduces victim suspicion while increasing the likelihood of successful financial theft.
Stealthy Data Theft Through Telegram Infrastructure
Behind the polished interface lies a sophisticated data exfiltration mechanism powered by the Telegram Bot API. When victims submit their information, the phishing page silently transmits captured details directly to attacker-controlled Telegram channels instead of any legitimate payment backend. This real-time data theft occurs invisibly, with hardcoded bot tokens and chat IDs embedded within the page’s JavaScript code.
Investigation into the Phishing Infrastructure
An investigation into the phishing infrastructure uncovered multiple Telegram bots and operator accounts coordinating the fraud. Bots named “pnbmetlifesbot” and “goldenxspy_bot” collect victim submissions, while accounts such as “darkdevil_pnb” and “prabhatspy” monitor and receive stolen information. The stolen data includes names, policy numbers, and mobile numbers, all transmitted instantly as victims complete each form field.
Escalation to Comprehensive Financial Data Theft
Advanced variants of this phishing campaign escalate beyond simple payment fraud into comprehensive banking credential harvesting. These sophisticated templates offer multiple options including “Update Amount,” “Refund Your Amount,” and “Add AutoDebit System,” creating the illusion of legitimate policy servicing. When victims select these options, they eventually encounter pages requesting complete bank account details and debit card information, including card numbers, expiry dates, and CVV codes. All submitted financial credentials are exfiltrated through the same Telegram infrastructure, transforming the operation from payment fraud into full-scale identity and financial data theft.
Protective Measures and Recommendations
To safeguard against such sophisticated phishing attacks, customers are advised to:
– Verify Payment Portals: Always ensure that payment gateways are legitimate by checking the URL and looking for secure connection indicators such as HTTPS.
– Avoid Clicking on Suspicious Links: Refrain from accessing payment portals through links received via SMS, email, or social media. Instead, navigate directly to the official website.
– Monitor Financial Statements: Regularly review bank and credit card statements for unauthorized transactions.
– Enable Two-Factor Authentication (2FA): Enhance account security by enabling 2FA where possible.
– Report Suspicious Activity: Immediately report any suspicious communications or transactions to the relevant financial institution.
By remaining vigilant and adopting these protective measures, customers can significantly reduce the risk of falling victim to such sophisticated phishing schemes.
