A sophisticated multi-stage phishing campaign is actively targeting PNB MetLife Insurance customers through fake payment gateway pages.
The attack chain extracts customer details, forces fraudulent UPI payments, and escalates to full banking credential harvesting. Attackers exploit customer trust in the brand while leveraging free hosting services and Telegram bots to exfiltrate data in real time.
The pages are optimized for mobile devices a strong indicator of SMS-based delivery vectors. Analysis reveals no legitimate payment processing backend exists; all user interactions are designed purely for data theft.
Threat actors have deployed multiple phishing templates across EdgeOne Pages (a free hosting service), each impersonating the official PNB MetLife premium payment gateway.
Infrastructure Details:
| Category | Detail |
|---|---|
| Hosting Platform | EdgeOne Pages (Free hosting for rapid deployment) |
| Telegram Exfiltration Bot | @pnbmetlifesbot – Initial data collection |
| Advanced Harvesting Bot | @goldenxspy_bot – Banking credential theft |
| Operator Account 1 | @darkdevil_pnb – Real-time monitoring |
| Operator Account 2 | @prabhatspy – Data recipient account |
| Delivery Method | SMS (likely primary infection vector) |
Two-Stage Attack Flow
Stage 1: Basic Payment Fraud Template
The first phishing variant presents users with a mobile-friendly form requesting name, policy number, and mobile number.
Critically, the page implements zero input validation arbitrary values are accepted without verification. Once submitted, JavaScript silently exfiltrates this data via Telegram Bot API.
The victim is then prompted to enter a payment amount (again, no validation). After submission, the page transitions to a UPI-based payment flow, displaying a dynamically generated QR code with a countdown timer to create urgency.
The JavaScript constructs a upi://pay URI rendered as a QR code, deliberately omitting the amount parameter to force manual entry within legitimate UPI apps.
Additionally, buttons for PhonePe and Paytm use clipboard abuse techniques silently copying attacker-controlled UPI IDs to the clipboard before redirecting users to payment app deep links. This dual approach significantly increases successful fraud completion rates.
Stage 2: Advanced Credential Harvesting Template
A more dangerous variant escalates the attack beyond payment fraud. After collecting basic details, victims are presented with options such as “Update Amount,” “Refund Your Amount,” and “Add AutoDebit System” creating an illusion of legitimate policy servicing.
When selecting “Update Amount,” users enter a new premium amount and proceed to a “Bank Details for Verification” page.
Here, the attack reaches maximum severity: all banking and card details are exfiltrated to Telegram via goldenxspy_bot to operator account prabhatspy. This transforms the campaign from payment fraud into comprehensive financial credential harvesting.
Technical Attack Chain
The attack relies on client-side JavaScript for all operations:
- Data Collection: Unvalidated form inputs capture customer information.
- Silent Exfiltration: Hardcoded Telegram bot tokens and chat IDs transmit data in real-time.
- Dynamic QR Generation: JavaScript renders UPI payment URIs as QR codes.
- Clipboard Manipulation: Attacker-controlled UPI IDs silently copied to clipboard.
- App Redirection: Deep links push victims into legitimate payment apps with attacker’s UPI ID pre-populated.
The absence of backend validation at every stage confirms attackers are not conducting legitimate financial transactions the infrastructure exists solely for fraud.
- For Users: Never click premium payment links from SMS messages; always navigate directly to PNB MetLife’s official website using a bookmarked URL
- For Enterprises: Implement email and SMS filtering to block malicious domains; educate customers on phishing indicators
- For Platforms: Block EdgeOne Pages subdomains hosting phishing kits; monitor Telegram bots for financial credential theft
- For Law Enforcement: Coordinate with Telegram and hosting providers for immediate takedown; track operator accounts for attribution
This campaign demonstrates a sophisticated understanding of mobile fraud mechanics and psychological manipulation.
The abuse of free hosting platforms, legitimate payment apps, and real-time Telegram exfiltration creates a low-friction fraud operation targeting one of India’s largest insurance companies.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.