Malware targets India’s largest private bank

Share this…

Over 4,000 branches and 13,000 ATMs were targeted through a massive phishing campaign.

Customers of ICICI, India’s largest private bank, have become targets in a phishing campaign tailored to dupe victims into handing over their bank credentials.

On Wednesday, researchers from Comodo’s Threat Research Labs said the campaign has the capacity to impact customers who visit ICICI’s 4,000 branches.

In a blog post, the team said the targeted phishing campaign includes crafted emails which spoof the bank’s legitimate Web domain.

Phishing campaigns — the use of malicious emails, links or downloads to infect systems for surveillance or theft — often use a psychological hook to lure victims into parting with either information or money. If an email “informs” you there is a client in Africa who wants to send you millions of dollars (but your bank details are needed) or you’ve won the Spanish lottery (despite having never visited the country), greed is the hook, for example.

In recent years, however, cyberattackers have gone beyond the basic, en masse spam campaigns in the hope of luring one or two people, and instead, have begun spending more time crafting campaigns which are tailored for a particular purpose.

Banks are a common entry point. If you target UK customers in a campaign, you may craft a malicious email either containing a link to a fraudulent — but legitimate-looking — website or malware-laden download, and make it appear from a financial institution such as HSBC, Lloyds or Barclays.

Unfortunately, if these emails look legitimate and include a strong hook, such as “action being required immediately or an account will be closed,” they are more likely to succeed.

This also appears to be the case with India’s ICICI. The researchers say the psychological hook in the emails were based on the need for “mandatory” changes, which may instil a sense of panic and time pressure in a victim.

If you ramp up the pressure, victims are less likely to take a step back, think about the situation, and take a more reasonable approach such as calling their bank for confirmation.

This phishing campaign sent out emails with a sender address ICICI Bank, and at first glance, appears legitimate. The email then asks the recipient to update their bank details and other information. A link is provided, and if clicked on to complete this “mandatory” task, sends the victim to a set of landing pages with different options.

The phishing victim chooses options based on whether they are updating personal or business-based data, and once this is submitted, they are then sent to another set of pages on the malicious domain asking them to confirm key pieces of information including user ID, password, transaction password, debit card number, email ID and email password.

All of this information is a treasure trove to attackers, who may be able to use it to pilfer funds, conduct identity theft or break into additional accounts through social engineering.


While the website controlled by the cyberattacker is obviously not related to ICICI’s legitimate domain, the copycat colouring, logos and style can dupe customers who may not think to check the address bar — especially if they are in a panicked state after receiving the email.

Potential victims have been alerted to the campaign, which is one of may that land in the inboxes of people across the West and beyond every day. It is not only up to email providers and legitimate businesses to keep users informed, however — it is also down to us to take a step back, a deep breath and think about a situation before blindly handing over our details.