{"id":7809,"date":"2025-08-06T14:46:43","date_gmt":"2025-08-06T09:16:43","guid":{"rendered":"https:\/\/quickheal.co.in\/knowledge-centre\/?p=7809"},"modified":"2025-08-06T14:46:43","modified_gmt":"2025-08-06T09:16:43","slug":"deciphering-the-kyc-scam-paradigm-an-in-depth-exploration-of-threat-vectors-and-mitigation-strategies","status":"publish","type":"post","link":"https:\/\/www.quickheal.co.in\/knowledge-centre\/deciphering-the-kyc-scam-paradigm-an-in-depth-exploration-of-threat-vectors-and-mitigation-strategies\/","title":{"rendered":"Deciphering the KYC Scam Paradigm: An In-Depth Exploration of Threat Vectors and Mitigation Strategies\u00a0\u00a0"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"7809\" class=\"elementor elementor-7809\">\n\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5586d487 e-flex e-con-boxed e-con e-parent\" data-id=\"5586d487\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-75f0e325 elementor-widget elementor-widget-text-editor\" data-id=\"75f0e325\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.16.0 - 17-10-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<!-- wp:paragraph {\"align\":\"left\"} -->\n<p class=\"has-text-align-left\">KYC (Know Your Customer) scams involve fraudulent activities where scammers impersonate banks, crypto exchanges, payment platforms, or regulatory authorities to verify user identity. Their objective is to harvest sensitive personal data, including Aadhaar numbers, PAN cards, selfies, and OTPs, often through phishing websites mimicking legitimate KYC portals or malicious Android apps disguised as KYC verification tools. This stolen information is then exploited for financial fraud, identity theft, and unauthorized account access.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>Anatomy of the Scam :\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>Scammers reach out via email, SMS, or messaging apps, claiming incomplete KYC status. Victims are tricked into clicking a link or downloading an app, leading to phishing sites or malware installation. Fake input fields harvest sensitive user data, which is then transmitted to scammers. The stolen data is used for fraudulent activities or account hijacking. Users are left vulnerable to financial loss and identity theft.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:image {\"id\":7813,\"width\":\"310px\",\"height\":\"auto\",\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"258\" height=\"390\" class=\"wp-image-7813 aligncenter\" style=\"width: 310px; height: auto;\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/2025\/08\/image-2-258x390.png\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-2-258x390.png 258w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-2-199x300.png 199w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-2.png 430w\" sizes=\"(max-width: 258px) 100vw, 258px\" \/><\/figure>\n<!-- \/wp:image --><!-- wp:paragraph -->\n<p><strong>Threat Infrastructure:\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>The infrastructure supporting KYC scams is crafted to mimic legitimacy while serving malicious purposes. Key components include:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li><strong>Phishing domains:<\/strong> Attackers register domains that closely resemble those of banks or financial institutions, often using typosquatting or homoglyph tactics.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li><strong>Hosting:<\/strong> These domains are typically hosted on low-cost or compromised servers, with frequent changes to evade detection (fast-flux DNS).\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li><strong>Fake Android apps:<\/strong> Malicious apps are either built from scratch or created by repackaging legitimate apps with added malicious code.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li><strong>Command and control (C2) communication: <\/strong>HTTP POST requests are used for communication, while Telegram bots often handle data exfiltration in mobile-based scams, bypassing traditional security measures.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p><strong>Attack Vectors<\/strong>\u00a0:<\/p>\n<!-- \/wp:paragraph --><!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Vector<\/strong>\u00a0<\/td>\n<td><strong>Description<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Email phishing<\/strong>\u00a0<\/td>\n<td>Spoofed emails claiming KYC suspension\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>SMS smishing<\/strong>\u00a0<\/td>\n<td>Fake KYC update messages with shortened URLs\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>WhatsApp\/Telegram<\/strong>\u00a0<\/td>\n<td>Messages from \u201cofficial\u201d looking profiles with fake links\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Social Media<\/strong>\u00a0<\/td>\n<td>KYC notices posted in crypto\/finance groups\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Malvertising<\/strong>\u00a0<\/td>\n<td>Fake KYC ads shown in search results via Google Ads or SEO poisoning<strong>\u00a0<\/strong>\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table --><!-- wp:paragraph -->\n<p><strong>Usage of Phishing Websites:\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>Phishing websites in KYC scams typically feature:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Cloned branding and logos of legitimate financial institutions\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Simple HTML pages with input fields requesting sensitive information, such as:\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Personal details (name, Aadhaar number, PAN)\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>File uploads (ID proofs, selfies)\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>A backend PHP script that:\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Logs submitted data into a text file or emails it to the attacker\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Uses simple code to evade detection by basic antivirus or firewall systems, making it harder to flag as malicious.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p><strong>KYC Scam Victims &#8211; Age Group Classification<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Age Group<\/strong>\u00a0<\/td>\n<td><strong>Victim Percentage<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>&lt; 18 years<\/strong>\u00a0<\/td>\n<td><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2\u20133%<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>18\u201325 years (Youth\/Students)<\/strong>\u00a0<\/td>\n<td><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 18\u201322%<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>26\u201335 years (Young professionals)<\/strong>\u00a0<\/td>\n<td><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 25\u201330%<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>36\u201350 years (Mid-age adults)<\/strong>\u00a0<\/td>\n<td><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 20\u201325%<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>51\u201365 years (Older adults)<\/strong>\u00a0<\/td>\n<td><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 12\u201315%<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>65+ years (Senior citizens)<\/strong>\u00a0<\/td>\n<td><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\u20138%<\/strong>\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table --><!-- wp:image {\"id\":7811,\"width\":\"486px\",\"height\":\"auto\",\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"556\" height=\"390\" class=\"wp-image-7811 aligncenter\" style=\"width: 486px; height: auto;\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/2025\/08\/image-1-556x390.png\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-1-556x390.png 556w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-1-300x211.png 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-1-768x539.png 768w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-1.png 838w\" sizes=\"(max-width: 556px) 100vw, 556px\" \/><\/figure>\n<!-- \/wp:image --><!-- wp:paragraph -->\n<p><strong>APK Behavior:\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>Android malware in KYC scams disguises itself as legitimate KYC apps, requesting excessive permissions such as:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>APK Capabilities<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Feature<\/strong>\u00a0<\/td>\n<td><strong>Purpose<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>RECEIVE_SMS<\/strong>\u00a0<\/td>\n<td>Steal OTP\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>READ_CONTACTS<\/strong>\u00a0<\/td>\n<td>Social engineering expansion\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>INTERNET<\/strong>\u00a0<\/td>\n<td>C2 communication\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>SYSTEM_ALERT_WINDOW<\/strong>\u00a0<\/td>\n<td>Fake overlays for UPI apps\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>BROADCAST_RECEIVER<\/strong>\u00a0<\/td>\n<td>Start on boot\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table --><!-- wp:paragraph -->\n<p>Once installed, the malware:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Intercepts SMS messages to capture OTPs\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Reads contacts for further targeting\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Uses overlay attacks to mimic banking interfaces\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p>The malware communicates with command-and-control servers via HTTP requests or Telegram bot APIs. To maintain persistence, it may register as a boot receiver, allowing it to survive device reboots. Additionally, it employs anti-emulation techniques to evade detection in sandbox environments.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>Indicators of Compromise :<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>KYC scams generate technical artifacts that can be used as Indicators of Compromise (IOCs), including:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Suspicious URLs (e.g., kyc-update-info[.]com)\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>https:\/\/hdfc-verifykyc[.]com\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>https:\/\/kyc-update-rbi[.]org\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>https:\/\/rbi-kycverify[.]in\/update\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Anonymously registered domains with recent WHOIS records\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>IP addresses associated with command-and-control (C2) servers\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>SHA256 hashes of malicious APK files\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Telegram bot usernames used for data exfiltration\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p><strong>IOC EXAMPLES<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Type<\/strong>\u00a0<\/td>\n<td><strong>IOC<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Domain<\/strong>\u00a0<\/td>\n<td>kyc-verify-app[.]info\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>APK Hash<\/strong>\u00a0<\/td>\n<td>SHA256: b8f4c0d2e0e49df7&#8230;\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>IP Address<\/strong>\u00a0<\/td>\n<td>45.76.123.90 (C2)\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Telegram Bot<\/strong>\u00a0<\/td>\n<td>@kyc_notify_bot\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Email used<\/strong>\u00a0<\/td>\n<td>kyc-support [@] outlook [.] com\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table --><!-- wp:paragraph -->\n<p>By monitoring these IOCs through a Security Information and Event Management (SIEM) system, defenders can proactively identify and block these threats before they cause damage.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>Spyware Behavior Simulation (Android Demo) :<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>Note: No real malware is used, only for knowledge purposes for the safety of readers.\u00a0\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>Fake app interface\u00a0\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:image {\"id\":7812,\"width\":\"556px\",\"height\":\"auto\",\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"494\" height=\"390\" class=\"wp-image-7812\" style=\"width: 556px; height: auto;\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/2025\/08\/image-3-494x390.png\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-3-494x390.png 494w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-3-300x237.png 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-3.png 678w\" sizes=\"(max-width: 494px) 100vw, 494px\" \/><\/figure>\n<!-- \/wp:image --><!-- wp:paragraph -->\n<p>Intercepts SMS\u00a0\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:image {\"id\":7810,\"width\":\"655px\",\"height\":\"auto\",\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"650\" height=\"272\" class=\"wp-image-7810\" style=\"width: 655px; height: auto;\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/2025\/08\/image-650x272.png\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-650x272.png 650w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-300x126.png 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image.png 766w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/figure>\n<!-- \/wp:image --><!-- wp:paragraph -->\n<p>Mimics background mic recording\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:image {\"id\":7824,\"width\":\"461px\",\"height\":\"auto\",\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"367\" height=\"390\" class=\"wp-image-7824\" style=\"width: 461px; height: auto;\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/2025\/08\/image-4-367x390.png\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-4-367x390.png 367w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-4-282x300.png 282w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/08\/image-4.png 646w\" sizes=\"(max-width: 367px) 100vw, 367px\" \/><\/figure>\n<!-- \/wp:image --><!-- wp:paragraph -->\n<p><strong>Usage of MITRE ATT&amp;CK mapping Technique<\/strong>\u00a0\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>The MITRE ATT&amp;CK framework can be used to categorize and understand the tactics used in KYC scams, including:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>T1204 (User Execution):\u00a0\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>T1111 (Two-Factor Authentication Interception):\u00a0\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>T1059 (Command and Scripting Interpreter):\u00a0\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>T1071.001 (Application Layer Protocol: Web Protocols):\u00a0\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p>By mapping these techniques, security teams can gain insights into attacker behavior and develop more effective defenses.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>MITRE ATT&amp;CK MAPPING<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Technique ID<\/strong>\u00a0<\/td>\n<td><strong>Description<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>T1059<\/strong>\u00a0<\/td>\n<td>Command and Scripting Interpreter (for JavaScript on phishing page)\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>T1204<\/strong>\u00a0<\/td>\n<td>User Execution \u2013 malicious APK installation\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>T1071.001<\/strong>\u00a0<\/td>\n<td>Application Layer Protocol: Web Protocols\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>T1083<\/strong>\u00a0<\/td>\n<td>File and Directory Discovery\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>T1111<\/strong>\u00a0<\/td>\n<td>Two-Factor Authentication Interception\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table --><!-- wp:paragraph -->\n<p><strong>YARA rules of Detection :\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>YARA rules can detect malicious patterns in files or programs associated with KYC scams, such as:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Phishing HTML forms requesting sensitive information (Aadhaar or PAN numbers)\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>APKs with suspicious permission requests and strings (e.g., SmsMessage.createFromPdu)\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p>These rules enable antivirus engines and sandbox tools to identify suspicious applications or websites, even if the malware is new or variant. YARA rules can be applied across:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>File systems\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Email attachments\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Web gateways\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p>to enhance early detection and improve security posture.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>Phishing Email Analysis :\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>KYC scam emails often:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Impersonate customer care or security departments\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Use urgent subjects like &#8220;Your KYC Has Expired&#8221;\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Have sender addresses similar to official domains\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Contain phishing links disguised as &#8220;Verify Now&#8221; buttons\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p>Email headers may reveal suspicious details like:\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Return-Path and Reply-To addresses (often free email providers)\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Fake message IDs\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p>Email security tools like Secure Email Gateways (SEGs) and DMARC records can help detect and block these threats when properly configured.\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>Preventive measures for KYC Scams:\u00a0\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:list {\"ordered\":true,\"start\":1} -->\n<ol class=\"wp-block-list\" start=\"1\"><!-- wp:list-item -->\n<li>Never share OTPs, CVV, PIN, or account details with anyone.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ol>\n<!-- \/wp:list --><!-- wp:list {\"ordered\":true,\"start\":2} -->\n<ol class=\"wp-block-list\" start=\"2\"><!-- wp:list-item -->\n<li>Avoid clicking on unknown links or uploading KYC documents on suspicious websites\/apps.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ol>\n<!-- \/wp:list --><!-- wp:list {\"ordered\":true,\"start\":3} -->\n<ol class=\"wp-block-list\" start=\"3\"><!-- wp:list-item -->\n<li>Verify sender identity by contacting official customer care numbers.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ol>\n<!-- \/wp:list --><!-- wp:list {\"ordered\":true,\"start\":4} -->\n<ol class=\"wp-block-list\" start=\"4\"><!-- wp:list-item -->\n<li>Update KYC only via official bank apps or by visiting the branch.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ol>\n<!-- \/wp:list --><!-- wp:list {\"ordered\":true,\"start\":5} -->\n<ol class=\"wp-block-list\" start=\"5\"><!-- wp:list-item -->\n<li>Install trusted antivirus and anti-fraud apps to block phishing links.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ol>\n<!-- \/wp:list --><!-- wp:list {\"ordered\":true,\"start\":6} -->\n<ol class=\"wp-block-list\" start=\"6\"><!-- wp:list-item -->\n<li>Report fraud calls\/SMS to 1930 or log complaints at cybercrime.gov.in.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ol>\n<!-- \/wp:list --><!-- wp:paragraph -->\n<p><strong>QUICK HEAL ANTIFRAUD.AI PROTECTION FOR KYC SCAMS:<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Feature \/ Technology<\/strong>\u00a0<\/td>\n<td><strong>How It Helps Against KYC Scams<\/strong>\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>AI-Based Threat Detection<\/strong>\u00a0<\/td>\n<td>Uses machine learning models to detect suspicious links, apps, or behavior mimicking KYC processes.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>SMS &amp; Call Protection<\/strong>\u00a0<\/td>\n<td>Flags and blocks phishing SMS or calls requesting KYC re-verification.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Real-time App Monitoring<\/strong>\u00a0<\/td>\n<td>Monitors apps for hidden permissions (camera, mic, SMS, etc.) common in KYC scam apps.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Fake App Detection<\/strong>\u00a0<\/td>\n<td>Detects cloned or fake versions of banking\/KYC apps designed for phishing.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Website Reputation Scanning<\/strong>\u00a0<\/td>\n<td>Alerts users about malicious URLs disguised as official KYC update pages.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Social Engineering Detection<\/strong>\u00a0<\/td>\n<td>Analyzes patterns in communication that mimic support staff asking for KYC documents.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud Threat Intelligence<\/strong>\u00a0<\/td>\n<td>Regularly updates threat databases with newly reported KYC scams and fraud domains.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>User Alerts &amp; Warnings<\/strong>\u00a0<\/td>\n<td>Sends alerts before users click malicious links or install suspicious apps.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Permission Analyzer<\/strong>\u00a0<\/td>\n<td>Checks if apps are requesting excessive permissions that could be used for KYC data theft.\u00a0<\/td>\n<\/tr>\n<tr>\n<td><strong>Behavioral Analysis<\/strong>\u00a0<\/td>\n<td>Flags abnormal user behavior patterns typically triggered during social engineering KYC scams.\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table --><!-- wp:paragraph -->\n<p><strong>Conclusion:\u00a0<\/strong>\u00a0<\/p>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p>Be cautious of KYC scams that impersonate banks, mobile operators, or financial service providers. Scammers create a sense of urgency to trick individuals into sharing sensitive information. To stay safe, never share OTPs or personal documents, and verify communications from legitimate sources. Legitimate institutions never request KYC details via calls, SMS, or WhatsApp.\u00a0<\/p>\n<!-- \/wp:paragraph -->\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>KYC (Know Your Customer) scams involve fraudulent activities where scammers impersonate banks, crypto exchanges, payment platforms, or regulatory authorities to verify user identity. Their objective is to harvest sensitive personal data, including Aadhaar numbers, PAN cards, selfies, and OTPs, often through phishing websites mimicking legitimate KYC portals or malicious Android apps disguised as KYC verification [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":7831,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"footnotes":""},"categories":[95],"tags":[],"class_list":["post-7809","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-antifraud"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts\/7809"}],"collection":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/comments?post=7809"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts\/7809\/revisions"}],"predecessor-version":[{"id":7835,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts\/7809\/revisions\/7835"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/media\/7831"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/media?parent=7809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/categories?post=7809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/tags?post=7809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}