In late 2025, Cyble’s CRIL team reported a significant resurgence of RTO-themed phishing attacks in India. These scams exploit public trust in the e-Challan traffic fine system, using browser-based phishing portals rather than traditional malware. Victims receive SMS messages urging immediate payment of fake fines, leading them to fraudulent government-lookalike sites that steal credit or debit-card data.
Severity: High
Threat Details
The campaign represents a shift toward scalable, shared phishing infrastructure that simultaneously targets multiple industries – government, BFSI (banking and financial services), and logistics.
- Initial Access (T1566.001 – Phishing via SMS)
- Victims receive SMS alerts claiming an overdue traffic violation fine.
- Messages use threatening language about legal consequences and contain shortened URLs impersonating government e-Challan domains (e.g., echallaxzv[.]vip).
- The sender appears as a local Indian mobile number (Reliance Jio) to bypass spam filters.
- Phishing Site Redirection
- Clicking the link redirects users to fake portals hosted primarily on 101[.]33[.]78[.]145 and 43[.]130[.]12[.]41.
- The cloned portals mimic Ministry of Road Transport & Highways (MoRTH) and NIC branding, complete with official insignia and formatting.
- The page requests a vehicle or challan number, then fabricates a realistic challan record (fine ≈ INR 590) with expiry warnings to instill urgency.
- Credential & Card Data Harvesting (T1056, T1119, T1041)
- When users click “Pay Now,” they are directed to card-only payment pages falsely branded as Indian bank gateways.
- Input fields collect card number, expiry date, CVV, and name, sending all data directly to the attacker backend—regardless of transaction success.
- The backend reuses the same template infrastructure for HSBC, DTDC, and Delhivery phishing, confirming cross-sector fraud operations.
- Infrastructure & Scaling
- Over 36 active phishing domains tied to the same IPs; domains are automatically generated to evade takedowns.
- Shared backend architecture enables simultaneous execution of government impersonation and commercial delivery scams.
- Some templates were traced to Spanish-authored code, suggesting international reuse of phishing kits.
- Attribution & Localization
- Phone number analysis links the sender to an SBI-associated account, reinforcing local credibility.
- The attack is financially motivated, with no signs of espionage or data-theft beyond card harvesting.
- Observed Impact
- Indian citizens across multiple states reported financial losses due to fraudulent fine payments.
- The campaign continues to evolve dynamically, using rotating domains and localized SMS routes for persistence.
This browser-based e-Challan phishing wave marks a notable advancement in fraud scalability and localization, leveraging psychological urgency and authentic branding to bypass awareness defenses. It underscores a broader industry trend where attackers replace malware delivery with direct financial-data theft via social engineering.
MITRE ATT&CK
| Tactic | Technique | ID | Details |
| Initial Access | Phishing: Spearphishing via SMS | T1566.001 | Attackers send fraudulent SMS messages with fake traffic fine alerts and phishing URLs. |
| Credential Access | Input Capture | T1056 | Fake payment portals capture credit/debit card data, including CVV and expiry details. |
| Collection | Automated Collection | T1119 | Phishing sites automatically harvest and store submitted payment data from victims. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen card information is transmitted directly to the attacker-controlled backend infrastructure. |
| Impact | Financial Theft | T1657 | Compromised card credentials are used for unauthorized financial transactions and fraud. |
Recommendations
- Educate end-users on verifying e-Challan payments via official government portals and avoiding SMS-based payment links.
- Implement SMS filtering for financial or government-themed phishing lures.
- Ensure all browsers and extensions are updated to reduce susceptibility to script-based redirection or credential theft.
- Enhance browser phishing protection. Enforce Microsoft Defender SmartScreen, Google Safe Browsing, or equivalent URL reputation services organization-wide.
- Correlate phishing domains sharing backend infrastructure to identify cross-sector fraud activity.
- Block the IOCs at their respective controls.
https://www.virustotal.com/gui/collection/558e43af9b3cc056cebd454960c524589d194d62ee61c95a4f490ab668925ec9/iocs
Source:
- https://cyble.com/blog/rto-scam-wave-continues/
- https://www.hindustantimes.com/technology/fake-rto-e-challan-scam-sees-major-spike-cyber-police-issue-warning-101766390963838.html
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.