RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure

Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users. The campaign primarily targets Indian vehicle owners via unsolicited SMS messages claiming an overdue traffic fine. The message includes a deceptive URL resembling an official e-Challan domain. Once accessed, victims are presented with a cloned portal that mirrors the branding and structure of the legitimate government service. At the time of this writing, many of the associated phishing domains were active at the time, indicating that this is an ongoing and operational campaign rather than isolated or short-lived activity. The same hosting IP was observed serving multiple phishing lures impersonating government services, logistics companies, and financial institutions, indicating a shared phishing backend supporting multi-sector fraud operations. The infection chain, outlined in Figure 1, showcases the stages of the attack. Figure 1: Campaign Overview Key Takeaways Attackers are actively exploiting RTO/e-Challan themes, which remain highly effective against Indian users. The phishing portal dynamically fabricates challan data, requiring no prior victim-specific information. The payment workflow is deliberately restricted to credit/debit cards, avoiding traceable UPI or net banking rails. Infrastructure analysis links this campaign to BFSI and logistics-themed phishing hosted on the same IP. Browser-based warnings (e.g., Microsoft Defender) are present but frequently ignored due to urgency cues. A sense of urgency, evidenced in this campaign, is usually a sign of deception. By demanding a user’s immediate attention, the intent is to make a potential victim rush their task and not perform due diligence. Users must accordingly exercise caution, scrutinize the domain, sender, and never trust any unsolicited link(s). Technical findings Stage 1: Phishing SMS Delivery The attack we first identified started with victims receiving an SMS stating that a traffic violation fine is overdue and must be paid immediately to avoid legal action. The message includes: Threatening language (legal steps, supplementary charges) A shortened or deceptive URL mimicking e-Challan branding No personalization, allowing large-scale delivery The sender appears as a standard mobile number, which increases delivery success and reduces immediate suspicion. (see Figure 2) Figure 2: Fraudulent traffic violation SMS delivering a malicious e-Challan payment link Stage 2: Redirect to Fraudulent e-Challan Portal Clicking the embedded URL redirects the user to a phishing domain hosted on 101[.]33[.]78[.]145. The page content is originally authored in Spanish and translated to English via browser prompts, suggesting the reuse of phishing templates across regions. (see Figure 3) Figure 3: Fake e-Challan landing page The Government insignia, MoRTH references, and NIC branding are visually replicated. (see Figure 3) Stage 3: Fabricated Challan Generation The portal prompts the user to enter: Vehicle Number Challan Number Driving License Number Regardless of the input provided, the system returns: A valid-looking challan record A modest fine amount (e.g., INR 590) A near-term expiration date Prominent warnings about license suspension, court summons, and legal proceedings This step is purely psychological validation, designed to convince victims that the challan is legitimate. (see Figure 4) Figure 4: Fraudulent e-Challan record generated Stage 4: Card Data Harvesting Upon clicking “Pay Now”, victims are redirected to a payment page claiming secure processing via an Indian bank. However: Only credit/debit cards are accepted No redirection to an official payment gateway occurs CVV, expiry date, and cardholder name are collected directly During testing, the page accepted repeated card submissions, indicating that all entered card data is transmitted to the attacker backend, independent of transaction success. (see Figure 5) Figure 5: E-Challan payment page restricted to card-only transactions Infrastructure Correlation and Campaign Expansion CRIL identified another attacker-controlled IP, 43[.]130[.]12[.]41, hosting multiple domains impersonating India’s e-Challan and Parivahan services. Several of these domains follow similar naming patterns and closely resemble legitimate Parivahan branding, including domains designed to look like Parivahan variants (e.g., parizvaihen[.]icu). Analysis indicates that this infrastructure supports rotating, automatically generated phishing domains, suggesting the use of domain generation techniques to evade takedowns and blocklists. Figure 6: Secondary phishing infrastructure supporting fake e-Challan portals The phishing pages hosted on this IP replicate the same operational flow observed in the primary campaign, displaying fabricated traffic violations with fixed fine amounts, enforcing urgency through expiration dates, and redirecting victims to fake payment pages that harvest full card details while falsely claiming to be backed by the State Bank of India. This overlap in infrastructure, page structure, and social engineering themes suggests a broader, scalable phishing ecosystem that actively exploits government transport services to target Indian users. Further investigation into IP address 101[.]33[.]78[.]145 revealed more than 36 phishing domains impersonating e-Challan services, all hosted on the same infrastructure. The infrastructure also hosted phishing pages targeting: BFSI (e.g., HSBC-themed payment lures) Logistics companies (DTDC, Delhivery) (see Figures 7,8) Figure 7: DTDC-themed phishing page impersonating a failed delivery notification Figure 8: Fake DTDC address update page used for data harvesting Consistent UI patterns and payment-harvesting logic across campaigns This confirms the presence of a shared phishing infrastructure supporting multiple fraud verticals. SMS Origin and Phone Number Analysis As part of the continued investigation, CRIL analyzed the originating phone number used to deliver the phishing e-Challan SMS. A reverse phone number lookup confirmed that the number is registered in India and operates on the Reliance Jio Infocomm Limited mobile network, indicating the use of a locally issued mobile connection rather than an international SMS gateway. Additionally, analysis of the number showed that it is linked to a State Bank of India (SBI) account, further reinforcing the campaign’s use of localized infrastructure. The combination of an Indian telecom carrier and association with a prominent public-sector bank likely enhances the perceived legitimacy of the scam. It increases the effectiveness of government-themed phishing messages. (see Figure 9) Figure 9: Phone number intelligence linked to the e-Challan phishing campaign Conclusion This campaign demonstrates that RTO-themed phishing remains a high-impact fraud vector in India, particularly when combined with realistic UI cloning and psychological urgency. The reuse of infrastructure across government, logistics, and BFSI lures highlights a professionalized phishing operation rather than isolated scams. As attackers continue shifting from malware delivery to direct financial fraud, user awareness alone is insufficient. Infrastructure monitoring, domain takedowns, and proactive SMS phishing detection are critical to disrupting these operations at scale. Our Recommendations: Always verify traffic fines directly via official government portals, not SMS links. Organizations should monitor for lookalike domains abusing government and brand identities. SOC teams should track shared phishing infrastructure, as takedown of one domain may disrupt multiple campaigns. Telecom providers should strengthen SMS filtering for financial and government-themed lures. Financial institutions should monitor for card-not-present fraud patterns linked to phishing campaigns. MITRE ATT&CK® Techniques Tactic Technique ID Technique Name Initial Access T1566.001 Phishing: Spearphishing via SMS Credential Access T1056 Input Capture Collection T1119 Automated Collection Exfiltration T1041 Exfiltration Over C2 Channel Impact T1657 Financial Theft Indicators of Compromise (IOCs) The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture. Indicators Indicator Type Description echala[.]vip echallaxzov[.]vip Domain Phishing Domain echallaxzrx[.]vip echallaxzm[.]vip echallaxzv[.]vip echallaxzx[.]vip echallx[.]vip echalln[.]vip echallv[.]vip delhirzexu[.]vip delhirzexi[.]vip delhizery[.]vip delhisery[.]vip dtdcspostb[.]vip dtdcspostv[.]vip dtdcspostc[.]vip hsbc-vnd[.]cc hsbc-vns[.]cc parisvaihen[.]icu parizvaihen[.]icu parvaihacn[.]icu 101[.]33[.]78[.]145 IP Malicious IP 43[.]130[.]12[.]41 The post RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure appeared first on Cyble.