**Indian Vehicle Owners Targeted in Large-Scale E-Challan Phishing Scam**
A resurgent phishing campaign is exploiting trust in India’s Regional Transport Office (RTO) systems, targeting vehicle owners with fake e-challan notices. Unlike earlier attacks that relied on Android malware, this operation has shifted entirely to browser-based fraud, lowering the barrier for attackers and expanding the victim pool to any user with a smartphone and internet access.
The scam begins with unsolicited SMS messages, sent from regular mobile numbers, warning recipients of overdue traffic fines. The messages use threatening language—citing court action, license suspension, or additional penalties—to pressure victims into immediate action. Embedded links, designed to mimic official e-challan domains, redirect users to fraudulent portals hosted on attacker-controlled infrastructure, including the IP address 101[.]33[.]78[.]145.
These phishing pages closely replicate government branding, featuring insignia from the Ministry of Road Transport and Highways (MoRTH) and the National Informatics Centre (NIC). Technical analysis revealed the templates were originally written in Spanish and later translated into English, indicating reuse across regions. Once on the fake portal, victims are prompted to enter vehicle or license details, after which the system generates a fabricated challan—typically for a modest fine (e.g., INR 590) with a near-term expiration date. Psychological manipulation, including warnings of legal consequences, is used to create urgency.
The final stage directs victims to a payment page that only accepts credit or debit card details, excluding UPI or net banking options that might leave clearer transaction trails. Testing confirmed that all entered card data is transmitted to attacker-controlled servers, with no legitimate payment processing occurring. The same infrastructure supports multiple fraud verticals, including phishing lures impersonating Parivahan services, HSBC, DTDC, and Delhivery, with over 36 e-challan-themed domains identified on a single IP.
The campaign’s localized tactics—using Indian mobile numbers, domestic telecom networks, and references to the State Bank of India—enhance credibility, reflecting a mature and scalable operation. Researchers at Cyble Research and Intelligence Labs (CRIL) noted the shift from malware to browser-based financial theft underscores the evolving sophistication of such scams, requiring coordinated mitigation efforts across telecoms, banks, and security teams.
Source: https://thecyberexpress.com/rto-scam-browser-based-e-challan-phishing/
Ministry of External Affairs, India cybersecurity rating report: https://www.rankiteo.com/company/ministry-of-external-affairs-india
Delhivery cybersecurity rating report: https://www.rankiteo.com/company/delhivery
"id": "MINDEL1766563271",
"linkid": "ministry-of-external-affairs-india, delhivery",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Vehicle owners receiving '
'fraudulent SMS',
'industry': 'General public',
'location': 'India',
'name': 'Indian vehicle owners',
'size': 'Large (potentially millions)',
'type': 'Individuals'},
{'customers_affected': 'SBI cardholders targeted for '
'payment',
'industry': 'Banking',
'location': 'India',
'name': 'State Bank of India (SBI)',
'type': 'Financial Institution'},
{'customers_affected': 'HSBC customers targeted via '
'BFSI phishing lures',
'industry': 'Banking',
'location': 'India',
'name': 'HSBC',
'type': 'Financial Institution'},
{'industry': 'Logistics',
'location': 'India',
'name': 'DTDC',
'type': 'Logistics Company'},
{'industry': 'Logistics',
'location': 'India',
'name': 'Delhivery',
'type': 'Logistics Company'}],
'attack_vector': 'SMS (Smishing)',
'customer_advisories': 'Vehicle owners advised to verify e-challan notices '
'via official government portals and avoid clicking '
'unsolicited SMS links.',
'data_breach': {'data_exfiltration': 'Yes (transmitted to attacker-controlled '
'servers)',
'personally_identifiable_information': 'Cardholder name, card '
'number, expiry date, '
'CVV',
'sensitivity_of_data': 'High (financial data)',
'type_of_data_compromised': 'Payment card data (credit/debit '
'card details)'},
'description': 'A renewed RTO scam campaign targeting Indian vehicle owners '
'is gaining momentum, exploiting trust in government transport '
'services through browser-based e-challan phishing. Attackers '
'send unsolicited SMS messages claiming overdue traffic '
'violation fines, redirecting victims to fraudulent portals to '
'harvest credit/debit card data. The campaign uses shared '
'infrastructure to support multiple phishing lures, including '
'BFSI and logistics sector impersonations.',
'impact': {'brand_reputation_impact': 'Erosion of trust in government '
'transport services and financial '
'institutions',
'data_compromised': 'Credit/debit card details (number, expiry '
'date, CVV, cardholder name)',
'financial_loss': 'Card data harvested for unauthorized '
'transactions',
'identity_theft_risk': 'High (PII exposure via card details)',
'payment_information_risk': 'High (direct harvesting of card '
'data)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (card data '
'harvested for resale)',
'entry_point': 'SMS phishing (smishing)',
'high_value_targets': 'Indian vehicle owners'},
'investigation_status': 'Ongoing (infrastructure analysis and tracking)',
'lessons_learned': 'Shift from malware-based attacks to browser-driven '
'financial theft highlights the need for continuous threat '
'intelligence, infrastructure tracking, and coordinated '
'action across telecoms, banks, and security teams. '
'Awareness alone is insufficient; proactive mitigation is '
'required.',
'motivation': 'Financial theft',
'post_incident_analysis': {'corrective_actions': ['Implement domain '
'generation algorithm (DGA) '
'detection to block '
'phishing domains',
'Enhance SMS filtering to '
'block fraudulent sender '
'numbers',
'Deploy AI-driven fraud '
'detection for payment '
'gateways',
'Improve public awareness '
'campaigns on phishing '
'risks'],
'root_causes': ['Reusable phishing infrastructure '
'enabling scalable attacks',
'Lack of user awareness about '
'e-challan scams',
'Trust in government-branded '
'communications',
'Absence of multi-factor '
'authentication for payment '
'pages']},
'recommendations': ['Leverage AI-powered threat intelligence to detect and '
'disrupt phishing campaigns',
'Implement rapid takedowns of fraudulent domains and '
'infrastructure',
'Enhance monitoring of SMS-based phishing (smishing) '
'campaigns',
'Educate users on verifying URLs and avoiding unsolicited '
'payment requests',
'Coordinate with telecom providers to block fraudulent '
'sender numbers',
'Collaborate with financial institutions to flag '
'suspicious transactions'],
'references': [{'source': 'Cyble Research and Intelligence Labs (CRIL)'},
{'source': 'Hindustan Times'}],
'response': {'third_party_assistance': 'Cyble Research and Intelligence Labs '
'(CRIL)'},
'title': 'RTO Scam Campaign Targeting Indian Vehicle Owners via E-Challan '
'Phishing',
'type': 'Phishing',
'vulnerability_exploited': 'Lack of user awareness, trust in government '
'services, and reusable phishing infrastructure'}