A few months ago we noticed a single phish kit being used which targeted 13 UK banks at once. It included a web page that listed all of the banks and would-be victims were instructed to click the link that corresponded to their bank and complete the subsequent forms.
Now it seems that the attackers have created an Indian version of their kit. This new kit uses the ruse that the Central Bank of India requires that users update their accounts. Three of the largest Indian banks are the targets: ICICI, Axis, and HDFC.
However, as is often the case, the phishers were sloppy and missed that the <title> tag of their phish says “United Kingdom Banking Update”. There are other signs that this was done by relative amateurs. Each of the three backend PHP scripts that drive the phish appear to come from other kits and different authors.
The credits in the code for each phish are:
“Nameless” – ICICI Phish Kit
“Dr Spamer” – HDFC Phish Kit
“Darklyte” – Axis Phish Kit
However, all of the phish ‘drop’ stolen credentials to the same Gmail address which has been reported to Google for shut down. Whoever is behind the use of these kits, they sure are prolific. It turns out the site where the 3-in-1 Indian phish were discovered also contains the 13-UK phish site as well as phish targeting Bank of America, America Online, Poste Italiane, a separate ICICI phish, and a separate HDFC phish.