The Rise of Browser-Based e-Challan Scams in India

Published Date: January 5, 2026
Category: ShadowOpsIntel
Share:

In late 2025, Cyble’s CRIL team reported a significant resurgence of RTO-themed phishing attacks in India. These scams exploit public trust in the e-Challan traffic fine system, using browser-based phishing portals rather than traditional malware. Victims receive SMS messages urging immediate payment of fake fines, leading them to fraudulent government-lookalike sites that steal credit or debit-card data.

Severity: High

Threat Details

The campaign represents a shift toward scalable, shared phishing infrastructure that simultaneously targets multiple industries – government, BFSI (banking and financial services), and logistics.

  1. Initial Access (T1566.001 – Phishing via SMS)
    • Victims receive SMS alerts claiming an overdue traffic violation fine.
    • Messages use threatening language about legal consequences and contain shortened URLs impersonating government e-Challan domains (e.g., echallaxzv[.]vip).
    • The sender appears as a local Indian mobile number (Reliance Jio) to bypass spam filters.
  2. Phishing Site Redirection
    • Clicking the link redirects users to fake portals hosted primarily on 101[.]33[.]78[.]145 and 43[.]130[.]12[.]41.
    • The cloned portals mimic Ministry of Road Transport & Highways (MoRTH) and NIC branding, complete with official insignia and formatting.
    • The page requests a vehicle or challan number, then fabricates a realistic challan record (fine ≈ INR 590) with expiry warnings to instill urgency.
  3. Credential & Card Data Harvesting (T1056, T1119, T1041)
    • When users click “Pay Now,” they are directed to card-only payment pages falsely branded as Indian bank gateways.
    • Input fields collect card number, expiry date, CVV, and name, sending all data directly to the attacker backend—regardless of transaction success.
    • The backend reuses the same template infrastructure for HSBC, DTDC, and Delhivery phishing, confirming cross-sector fraud operations.
  4. Infrastructure & Scaling
    • Over 36 active phishing domains tied to the same IPs; domains are automatically generated to evade takedowns.
    • Shared backend architecture enables simultaneous execution of government impersonation and commercial delivery scams.
    • Some templates were traced to Spanish-authored code, suggesting international reuse of phishing kits.
  5. Attribution & Localization
    • Phone number analysis links the sender to an SBI-associated account, reinforcing local credibility.
    • The attack is financially motivated, with no signs of espionage or data-theft beyond card harvesting.
  6. Observed Impact
    • Indian citizens across multiple states reported financial losses due to fraudulent fine payments.
    • The campaign continues to evolve dynamically, using rotating domains and localized SMS routes for persistence.

This browser-based e-Challan phishing wave marks a notable advancement in fraud scalability and localization, leveraging psychological urgency and authentic branding to bypass awareness defenses. It underscores a broader industry trend where attackers replace malware delivery with direct financial-data theft via social engineering.

MITRE ATT&CK

TacticTechniqueIDDetails
Initial AccessPhishing: Spearphishing via SMST1566.001Attackers send fraudulent SMS messages with fake traffic fine alerts and phishing URLs.
Credential AccessInput CaptureT1056Fake payment portals capture credit/debit card data, including CVV and expiry details.
CollectionAutomated CollectionT1119Phishing sites automatically harvest and store submitted payment data from victims.
ExfiltrationExfiltration Over C2 ChannelT1041Stolen card information is transmitted directly to the attacker-controlled backend infrastructure.
ImpactFinancial TheftT1657Compromised card credentials are used for unauthorized financial transactions and fraud.

Recommendations

  1. Educate end-users on verifying e-Challan payments via official government portals and avoiding SMS-based payment links.
  2. Implement SMS filtering for financial or government-themed phishing lures.
  3. Ensure all browsers and extensions are updated to reduce susceptibility to script-based redirection or credential theft.
  4. Enhance browser phishing protection. Enforce Microsoft Defender SmartScreen, Google Safe Browsing, or equivalent URL reputation services organization-wide.
  5. Correlate phishing domains sharing backend infrastructure to identify cross-sector fraud activity.
  6. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/558e43af9b3cc056cebd454960c524589d194d62ee61c95a4f490ab668925ec9/iocs

Source:

  • https://cyble.com/blog/rto-scam-wave-continues/
  • https://www.hindustantimes.com/technology/fake-rto-e-challan-scam-sees-major-spike-cyber-police-issue-warning-101766390963838.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us