A sophisticated new phishing campaign targeting Indian vehicle owners marks a troubling evolution in cybercrime, shifting decisively from malware-driven attacks to low-friction, browser-based fraud. According to fresh findings from Cyble Research and Intelligence Labs, attackers are now exploiting public trust in Regional Transport Office (RTO) services through more than 36 fake e-Challan domains—many of which remain active—making this one of the most persistent and scalable fraud operations seen in recent months.
The campaign relies on realism rather than technical complexity. Victims receive SMS messages warning of overdue traffic fines, often accompanied by threats of licence suspension, court summons, or legal action. These messages contain shortened links that redirect users to professionally cloned government portals, complete with MoRTH branding and NIC-style insignia. Once there, the fraud unfolds entirely within the browser, requiring no app downloads or malware installation—dramatically widening the potential victim base.
Investigators say this design choice is deliberate. “This campaign represents a clear pivot from Android malware to browser-based fraud, lowering technical barriers and expanding reach,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. The psychological manipulation is precise. Regardless of what vehicle number a user enters, the portal dynamically generates a believable violation record, typically showing a modest fine of around ₹590 with a near-term deadline. There is no backend verification; the goal is urgency, not accuracy.
The payment stage reveals the attackers’ intent even more clearly. Victims are funneled into pages that accept only credit or debit cards—conspicuously avoiding UPI or net banking, which are harder to abuse at scale. Users are prompted to enter full card details, including CVV and expiry date, under the false claim that payments are being processed through Indian banks. The system even allows repeated submissions, quietly harvesting every set of credentials entered.
What makes this campaign especially effective is its deep localisation. SMS messages originate from Indian mobile numbers registered with Reliance Jio Infocomm Limited, and investigators found links to accounts associated with State Bank of India. This combination of a familiar telecom operator and a trusted public-sector bank significantly boosts credibility, making victims far more likely to comply than they would with messages routed through foreign gateways.
Cyble’s infrastructure analysis suggests this is not an isolated scam but part of a professionalised fraud operation spanning multiple sectors. The same backend infrastructure used for fake e-Challan portals has also been observed powering phishing lures impersonating banking brands and logistics companies, including DTDC and Delhivery. Consistent design patterns, identical payment-harvesting logic, and automatically generated domains point to a shared, rotating infrastructure built for resilience against takedowns.
There are signs of global reuse as well. Some phishing content was originally authored in Spanish and later translated via browser prompts, suggesting recycled templates adapted for the Indian market. While browser-level protections such as Microsoft Defender occasionally raise warnings, researchers note that urgency cues—legal threats, deadlines, and fear of penalties—often override user caution.
The implications extend well beyond traffic violations. This campaign underscores a broader shift in cybercrime toward scalable, trust-based deception that targets everyday digital interactions with government, banks, and service providers. As long as these domains remain active, the risk is ongoing—not just for vehicle owners, but for users across BFSI, logistics, and public digital services.
For citizens, the lesson is stark. Traffic fines should always be verified directly through official portals such as parivahan.gov.in, not via links in unsolicited messages. For enterprises and policymakers, the episode is a reminder that fraud is increasingly exploiting institutional trust itself—and that defending against it requires faster takedowns, stronger telecom and banking coordination, and sustained public awareness before familiarity becomes the attackers’ most powerful weapon.