FireEye, a cyber security company, has found that certain phishing websites spoofed 26 Indian banks aiming to steal personal information about customers.
FireEye detected that one domain csecurepay[.]com (registered on October 23, 2016, and pretending to be a secure payment gateway) is actually a phishing website that leads to the capturing of customer information such as account number, mobile number, email address, one-time password and other details from 26 banks operating in India.
Once the information is collected, the website displays a fake failed login message to the victim.
Though, the websites were not being used in campaigns, FireEye has notified the Indian Computer Emergency Response Team (CERT - In) about the threat.
URL: hxxp://csecurepay[.]com/load-cash-step2.aspx When navigating to the URL, the domain appears to be a payment gateway and requests that the user enter their bank account number and the amount to be transferred. The victim is allowed to choose their bank from a list that is provided.FireEye blog 
URL: hxxp://csecurepay[.]com/PaymentConfirmation.aspx The next website requests the victim to enter their valid 10-digit mobile number and email ID (Figure 2), which makes the website appear more legitimate.FireEye blog 
The victim will then be redirected to the spoofed online banking page of the bank they selected, which requests that they log in using their user name and password. Figure 3 shows a fake login page for State Bank of India. See the Appendix for more banks that have spoofed login pages.FireEye blog 
After entering their login credentials, the victim will be asked to key in their One Time Password (OTP)FireEye blog 
URL: hxxp://csecurepay[.]com/Final.aspx Once all of the sensitive data is gathered, a fake failed login message will be displayed to the victimFireEye blog 
The nsecurepay website was producing errors when redirecting to spoofed credit and debit card pages.FireEye blog 
HDFC Bank fake login pageFireEye blog
The phishing sites gathered fake logins from 26 banks, including Bank of Baroda - Corporate, Bank of Baroda - Retail, Bank of Maharashtra, HDFC Bank, ICICI Bank, IDBI Bank, Indian Bank, IndusInd Bank, Jammu and Kashmir Bank, Kotak Bank, Lakshmi Vilas Bank - Corporate, Lakshmi Vilas Bank - Retail, State Bank of Hyderabad, State Bank of India, State Bank of Jaipur, State Bank of Mysore, State Bank of Patiala, State Bank of Bikaner, State Bank of Travancore, Tamilnadu Mercantile Bank and United Bank of India.
FireEye security researchers also found a second domain (nsecurepay[.]com) registered by the same attacker in August 2016 that was designed to steal credit and debit card information – including those of ICICI Bank, Citibank, Visa and MasterCard and SBI. However, it was observed with functional errors.
"Criminals follow the money, and as more Indians embrace online banking, criminals followed them online. As the digital economy grows, consumers should be aware of the risks that accompany the convenience. The ease of online payments opens new avenues for criminals to trick consumers into divulging their own sensitive banking information. The growing sophistication of these cybercriminal campaigns makes them harder for consumers to identify, and firewalls and antivirus technology do not stop these attacks," Vishak Raman, Senior Director for India and SAARC, FireEye was quoted saying to Economic Times.'
