Dissecting the Phishing Kit behind the Axis Bank Reward Points Campaign

C2 Server Login

Phishing campaigns targeting banking and financial institutions have always been in the news. Specifically in India, scammers are always evolving with new ways to steal banking information, including credit/debit card information and personally identifiable information (PII).

Sometimes, scammers use freemium services to host phishing sites. Alternatively, they may register domains using common keywords to avoid detection. In a recent ongoing campaign, the Bolster Research Team has discovered a campaign targeting Axis Bank and their credit card reward points services.

Due to the enabled directory listing in one of the phishing sites, we were able to obtain the phishing kit used in this campaign. Let’s dive into the details, and help your business better identify potential phishing campaigns down the road by learning from Axis Bank.

Phishing site impersonating Axis Bank’s reward point service

The Phishing Campaign Targeting Axis Bank

The rewards point phishing campaign is not limited to Axis Bank, but also is targeting other famous banking players in India.

In this campaign, domains were created with the keywords “onlinecardservice” and “cardsserviceonline” to avoid alerts from detection engines based on brand names.

Our real-time URL scanner CheckPhish has identified two domains as part of the phishing campaign. One was registered 17 days ago, and another was written 7 months ago. Interestingly, one of the domain registrar’s details, like name, location, email, and phone number, were leaked in the whois record [likely the actor with fake details].

Analysis of an Associate Phishing Website

The impersonated website is created to steal the victim’s banking information (credit card number, CVV) and PIIs in three simple steps:

1. Once victims click on any of the options on the phishing site, it redirects them to the fake “Reward Point Online Application,” asking them to fill in PII, including their Name, Date of Birth, Email ID, Mobile No.

A glimpse at the first screen consumers will see

2. Once submitted successfully, it takes the victim to another fake form. Then it asks for banking details.

The screen consumers will see when they’re being asked to provide their bank info

3. In the last step, it asks for the OTP to submit.

The final screen in the phishing campaign

Analysis of the Phishing Kit

Due to misconfiguration in one of the identified phishing sites, the actor left the directory listing enabled, which led us to discover the phishing kit used in this campaign. This mostly happens due to a lack of technical knowledge or laziness among phishing campaign operators.

Exposed phishing kit due to the directory listing misconfiguration

Inside the phishing kit

Upon analyzing, we found this phishing kit is created with HTML, CSS, and JS PHP & MySQL.

Phishing kit from the campaign

There are no further evasion techniques associated with it. Still, interestingly, while investigating, we have uncovered that the phishing kit can likely be used to target SBI Bank’s reward campaign as well, based on the comments in the code files.

The first look at the code within the phishing kit

Most notably, in this phishing kit, the server code of the C2 server code was found inside the phishing kit’s directory, along with hardcoded MySQL DB credentials and configurations.

Server code inside the phishing kit


Hardcoded db creds and config

Potential Victims of the Phishing Campaign Targeting Axis Bank

After the analysis of the server code, we found a hard-coded credential of DB, and based on the structure, we tried to hunt down the C2 server, which is present on this URL: hxxps://onlinecardservice[.]com/axisbank/1/index.php

C2 Server Login

The login portal was configured with default credentials, which is obvious from the actor’s technical understanding. Upon analyzing the data exposed from the phishing site’s server, it appears that most information entered was random.

However, some of the information may be valid.

Victim’s information from the exposed server

Conclusion: Protecting Your Business and Your Customers

These types of campaigns are not unusual, but they demonstrate how scammers from India are continuously improving their tactics. They’ve gone from cloning websites to creating custom phishing kits for their classic phishing campaigns. It’s clear that their skills are growing, and we can expect to see more of these kinds of tactics from them in the future.

Hacking techniques around the world are evolving to outsmart some of the more common anti-phishing tactics. As hackers become more reliant on AI-backed hacking solutions, it’s important for businesses to utilize AI-Security solutions to effectively identify and takedown phishing sites at scale.

To see how Bolster’s trained LLM’s can protect your business from phishing attacks spun up around the world, request a demo with us today.