Cyble Uncovers Multi-Domain E-Challan Phishing Campaign In India

Cyble Research and Intelligence Labs (CRIL) has uncovered a large-scale browser-based phishing campaign targeting Indian vehicle owners through fake e-Challan portals. The sophisticated operation, which represents an evolution from previous malware-driven attacks, leverages over 36 fraudulent domains and exploits trust in Regional Transport Office (RTO) services to harvest banking credentials.

The investigation, which aligns with recent warnings from mainstream media including Hindustan Times, reveals an active and ongoing campaign using localized infrastructure to enhance credibility and maximize victim impact.

"This campaign demonstrates a pivot from the previously observed Android malware use to browser-based fraud, which significantly lowers the technical barriers and expands the pool of potential victims," said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. "The use of Indian mobile numbers registered with popular telecom operators and linked to State Bank of India accounts shows how attackers deliberately exploit trust in familiar institutions to increase success rates."

Campaign Overview and Attack Flow

Multi-Stage Phishing Operation

The attack begins with victims receiving SMS messages claiming overdue traffic fines, creating urgency through threats of license suspension, court summons, and legal proceedings. The messages contain shortened URLs mimicking legitimate e-Challan domains, leading victims to professionally cloned government portals.

Key Technical Findings:

Dynamic Challan Fabrication

1. Portal generates realistic-looking violation records regardless of input
2. Displays modest fine amounts (typically INR 590) with near-term expiration dates
3. No backend verification occurs—purely psychological manipulation
4. Replicates official MoRTH branding and NIC insignia

Card Data Harvesting

1. Payment pages deliberately restrict options to credit/debit cards only
2. Avoids traceable UPI and net banking transactions
3. Collects full card details including CVV and expiry dates
4. Falsely claims processing through Indian banks
5. Accepts repeated submissions, transmitting all data to attacker backend

Localized Infrastructure for Enhanced Credibility

1. SMS sent from Indian mobile number registered with Reliance Jio Infocomm Limited
2. Phone number linked to State Bank of India account
3. Combination of local telecom carrier and public-sector bank association increases perceived legitimacy
4. Significantly more effective than international SMS gateways

Shared Fraud Infrastructure Uncovered

CRIL's infrastructure analysis revealed extensive multi-sector targeting using shared phishing backends:

Primary Infrastructure

1. Over 36 phishing domains impersonating e-Challan services
2. Additional targets: HSBC-themed payment lures (BFSI sector)
3. Logistics company impersonation: DTDC, Delhivery
4. Consistent UI patterns and payment-harvesting logic across campaigns

Secondary Infrastructure

1. Multiple domains mimicking Parivahan services
2. Automatically generated phishing domains suggesting rotation techniques
3. Designed to evade takedowns and blocklists
4. Same operational flow as primary campaign

The infrastructure overlap confirms a professionalized phishing operation supporting multiple fraud verticals rather than isolated scam attempts.

Anti-Detection Measures:

1. Content originally authored in Spanish, translated via browser prompts
2. Indicates reuse of phishing templates across regions
3. Browser-based warnings (Microsoft Defender) present but ignored due to urgency cues
4. Domain generation techniques for infrastructure resilience

At the time of publication, many associated phishing domains remain active, indicating ongoing operational status rather than isolated or short-lived activity.

Multi-Sector Risk: The shared infrastructure reveals systematic targeting beyond RTO themes, affecting:

1. Government service users (e-Challan, Parivahan)
2. Banking customers (HSBC-themed lures)
3. E-commerce users (DTDC, Delhivery impersonation)

Critical Recommendations

1. Never click links in unsolicited SMS claiming traffic violations
2. Always verify fines directly through official government portals (parivahan.gov.in)
3. Scrutinize domains carefully—look for spelling variations and unusual TLDs
4. Be suspicious of payment pages accepting only credit/debit cards
5. Report suspicious messages to cybercrime authorities immediately

Complete technical analysis, indicators of compromise (IoCs), MITRE ATT&CK mappings, and detection guidance are available in the full blog post here.

IoCs have been published to Cyble's GitHub repository for immediate integration into security platforms and threat intelligence feeds.