Malicious trading website drops malware that hands your browser to attackers — How to Identify & Stay Safe

Severity: HIGH | View Full Scam Details

Beware in 2026: Malicious Trading Website Scam Drops Malware to Take Over Your Browser in India

A new high-risk phishing scam in India uses fake trading websites to inject malware that lets cybercriminals hijack your browser and steal sensitive data.

What Is the Malicious Trading Website That Drops Malware and Hands Your Browser to Attackers?

This scam involves cybercriminals creating fake online trading platforms mimicking popular investment sites for stocks, mutual funds, and cryptocurrencies that Indians frequently use. These fraudulent sites look highly convincing, employing professional design and even ads on Facebook, Instagram, and Google to lure investors keen to grow their money.

The target group largely includes novice traders and small investors who search for quick investment opportunities online. Given India’s soaring interest in digital finance, especially through UPI payments and mobile apps, attackers exploit the trust users place in online financial platforms.

CERT-In (Indian Computer Emergency Response Team) and I4C (Indian Cyber Crime Coordination Centre) have increasingly flagged incidents where such fake trading sites distribute malware. This malware can grant attackers full control over browsers, allowing them to intercept UPI transactions, harvest Aadhaar-linked data, steal login credentials, and even perform SIM swap attacks.

While traditional scams targeted direct phishing via emails or messages, this scam is more insidious, using the “software supply chain” by injecting malware silently once the victim visits the fake site. This makes the threat potentially widespread, affecting thousands of unsuspecting Indians every month.

How This Scam Works — Step by Step

1. Targeted Ads or Search Results: The victim sees ads on social media or Google Search for a “trustworthy” trading platform offering high returns, often with tempting bonuses or zero fees.

2. Clicking the Link: The victim clicks the link, which directs them to a website designed to look exactly like a legitimate trading app or website complete with fake user reviews and ratings.

3. Prompt to Download or Authorize: To “complete registration” or “get the trading app,” users are prompted to download a file or browser extension — this is the malware payload.

4. Malware Installation: Once downloaded and installed, the malware gains control over the browser. It can monitor keystrokes, capture OTPs sent over SMS or WhatsApp, and even redirect UPI payment requests.

5. Data Theft and Exploitation: Attackers use this access to steal login passwords for real trading accounts, Aadhaar-linked numbers, and banking details. They can initiate fraudulent transactions or hijack active sessions.

6. SIM Swap and Account Takeover: With stolen personal info, attackers sometimes perform SIM swaps with telecom providers, gaining access to call and message verification needed for banking apps.

Victims only realize too late they have been tricked when unauthorized UPI debits drain their bank accounts or when their Aadhaar credentials are misused for identity theft.

Real Warning Signs to Watch For

• Unsolicited ads promising guaranteed profits with “zero risk” — Genuine investments never guarantee returns.
• Website URLs that differ slightly from official platforms (e.g., amazontrade.in instead of amazon.in).
• Asking to download unknown files or browser extensions before starting trading.
• Requests for personal details like Aadhaar or PAN immediately after signup.
• Unprofessional grammar or missing official disclaimers on the site.
• No contact details or fake phone numbers on the website.
• Pop-ups requesting OTPs or payment authorizations through UPI or mobile banking without prior transaction initiation.

What Happens to Victims

Victims often suffer financial losses ranging from a few thousand to lakhs of rupees through unauthorized UPI transactions, bank transfers, or credit card fraud. The emotional toll is significant — with feelings of betrayal, anxiety, and helplessness common.

Moreover, compromised Aadhaar or PAN data can lead to misuse in other frauds such as fake loan applications or tax evasion. Victims face hurdles recovering funds because UPI payment reversals, while possible under RBI guidelines, require prompt reporting and sometimes lengthy investigation.

SIM swap attacks enabled by stolen data can lock victims out of their mobile phones, cutting off their primary means of two-factor authentication (2FA) and making account recovery even harder.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has issued advisories cautioning users about phishing scams that exploit investment platforms and urges verifying any digital investment platform before transacting. RBI recommends never sharing OTPs or PINs and immediately reporting unauthorized UPI debits.

CERT-In has warned about malware targeting browsers through fake websites and encourages users to keep browsers updated and avoid downloading unknown extensions or apps. The Indian Cyber Crime Coordination Centre (I4C) emphasizes educating the public about fake trading scams and encourages reporting incidents to the 1930 cybercrime helpline.

If you suspect fraud, RBI's banking helpline 14567 and CERT-In’s 1930 cybercrime helpline are official channels for assistance.

How to Protect Yourself

1. Only use verified trading platforms listed on SEBI’s official website or recommended by trusted financial institutions.
2. Avoid clicking on ads or links promising guaranteed returns or bonuses.
3. Never download unknown files or browser extensions from investment websites.
4. Check the website URL carefully — ensure HTTPS and correct spelling.
5. Do not share OTPs, PINs, Aadhaar details, or UPI PINs with anyone, even if they claim to be customer support.
6. Use multi-factor authentication apps rather than SMS OTP where possible.
7. Keep your antivirus and browser updated to block malware downloads automatically.

What to Do If You've Been Targeted

• Immediately contact your bank to block compromised UPI accounts or cards.
• Report unauthorized transactions to your bank under RBI’s Customer Protection guidelines within 7 days.
• File a complaint at the government’s cybercrime portal (cybercrime.gov.in).
• Call the CERT-In helpline at 1930 for expert guidance on malware removal and cyber forensics.
• Lodge a police complaint at your local cybercrime police station.
• Contact your mobile service provider to check for SIM swap fraud and re-secure your phone number.
• Change passwords and enable 2FA on all important accounts.

Frequently Asked Questions

Q: How can I tell if a trading website is legitimate or fraudulent?
A: Cross-check the platform with SEBI’s official registered intermediaries list. Verify website URLs carefully and avoid sites that ask for downloads or personal info upfront.

Q: I clicked a suspicious link but didn’t download anything — am I safe?
A: You are likely safe if you did not install any files or extensions. Still, run a full antivirus and scan your device for malware and change your passwords as a precaution.

Q: Can I get my money back if my UPI account was hacked after visiting such a site?
A: RBI guidelines allow banks to refund unauthorized UPI transactions if reported within 7 days and verified as fraud, but quicker reporting improves your chances.

If you receive suspicious messages or come across questionable websites, always pause and verify their authenticity at BharatSecure.app before taking any action. Stay alert, stay safe!