Massive Fake e-Challan SMS Scam Targets Indian Vehicle Owners, Steals Card Details, User Data: Cyble

A large-scale browser-based phishing campaign is targeting Indian vehicle owners through fake e-Challan portals. The operation, which represents an evolution from previous malware-driven attacks, leverages over 36 fraudulent domains and exploits trust in Regional Transport Office services to harvest banking credentials, as per cybersecurity company Cyble.

Victims receive SMS messages claiming overdue traffic fines, creating urgency through threats of license suspension, court summons, and legal proceedings. The messages contain shortened URLs mimicking legitimate e-Challan domains, leading victims to professionally cloned government portals.

These fake portals generate realistic-looking violation records regardless of input and display modest fine amounts (typically Rs 590) with near-term expiration dates. No backend verification occurs, and the scam uses purely psychological manipulation. It further replicates official branding of Ministry of Road Transport and Highways and National Informatics Centre insignia.

Payment pages deliberately restrict options to credit/debit cards only, avoiding traceable UPI and net banking transactions. The scam collects full card details, including CVV and expiry dates, and initiates false claims processing through Indian banks. The scam also accepts repeated submissions, transmitting all user data to attacker backend.

SMS are sent from Indian mobile numbers registered with Reliance Jio Infocomm, with phone numbers linked to State Bank of India account. The combination of local telecom carrier and public-sector bank association increases perceived legitimacy.

Cyble identified over 36 phishing domains impersonating e-Challan and Parivahan services, designed to evade takedowns and blocklists. The scam also uses HSBC themes to lure users into making payments and impersonates logistics companies like DTDC and Delhivery as well. Content is originally authored in Spanish and translated via browser prompts.

At the time of publication, many associated phishing domains remain active, indicating ongoing operational status rather than isolated or short-lived activity, Cyble noted.

Users should avoid clicking links in unsolicited SMS claiming traffic violations and always verify fines directly through official government portals (https://parivahan.gov.in). They should also be suspicious of payment pages accepting only credit/debit cards and report suspicious messages to cybercrime authorities immediately.