Fake DigiYatra Website was Targeting Indian Flyers using a Lookalike Portal
Threat actors are posing as DigiYatra and collecting personal information via a fake website with a vacation theme by mimicking the name of a reputable Indian government program.
Summary
To target unwary Indian air travelers, threat actors were running a fraudulent phishing website that looked like the reputable DigiYatra Foundation. At the time of reporting, the fraudulent domain digiyatra[.]in was still in operation and was being utilized to collect user data while posing as an official service provider. The site’s behavior and design were not compatible with the official platform, even though the name was the same as the government-backed program.
By taking advantage of people’s faith in a digital public infrastructure project supported by the Indian government, this website is deliberately misleading the public.
Detection and Monitoring Context
Craw Security regularly analyzes domains registered with keywords connected to public-sector digital brands, such as “DigiYatra.” This is part of our Early Warning Threat Detection program, which warns clients when questionable domains are being registered or are active.
Due to its identical keyword match, the domain digiyatra[.]in had raised a flag and was later determined to be an illegal and malicious impersonation. Alerts were sent to national partners and brand monitoring customers for prompt analysis and response.
What the Fake Website Was Doing
The structure and content of the website did not correspond with any official service, even though the domain name was exactly the same as the government’s DigiYatra brand. The DigiYatra Foundation did not offer a flight ticket buying platform, which is what the design, layout, and user experience resembled.
Our threat research team saw the following when they visited the page:
- A flight search box
- A user form requesting an email address, phone number, and name.
Even though it appeared to be a booking interface, no real ticket sales or transactions were taking place. By mimicking a genuine service experience, the interface instead seemed to be made exclusively for data collection, tricking visitors into submitting PII.
Details and Indicators of Compromise (IOCs)
| Domain Name | digiyatra[.]in |
| IP Address | 167[.]172[.]151[.]164 (also accessible directly at hxxp://167[.]172[.]151[.]164:3000) |
| WHOIS Registrant | Ali Sajil (Kerala, India — remaining details redacted for privacy) |
| Domain Creation Date | July 21, 2022 |
| Domain Expiry Date | July 21, 2025 |
| SSL Certificate | Let’s Encrypt SSL, a free and automated encryption service, was used to set up the website. |
Risk Assessment
This phishing domain’s continuous operations were presenting serious risks from a number of angles:
| Data Privacy Risk | False pretenses were being used to gather sensitive user data. |
| Public Deception | The service was perceived by users as being connected to either DigiYatra or the Indian government. |
| Reputational Damage | The public’s trust was being undermined by the misuse of a reputable government initiative. |
| Lack of Awareness | The flight portal’s design mismatch was subtle enough to fool non-technical users. |
The domain was rated as a high-severity impersonation threat by Craw Security, mostly because of its use of keywords, misuse of trust, and collection of unverified data.
Craw Security Response Actions
Our team of Cyber Threat Intelligence was acting right away:
- Distributing early warning notifications to customers for brand protection.
- Extending the domain to CERT-In and other pertinent governmental organizations.
- Sending the domain registrar a takedown request.
- Utilizing variation keyword patterns to start scanning for relevant impersonating domains.
- Recommending DNS-level blocks for 167[.]172[.]151[.]164 and digiyatra[.]in.
Mitigating the Risk by Craw Security’s All-Around Security
Businesses that run digital services that are visible to the public, particularly those that support government programs, were being urged to implement proactive brand protection and impersonator detection techniques. Staying reactive was no longer enough in a time when attackers were using official-sounding names and government-trusted branding more for leverage.
The Brand Protection Suite from Craw Security has been steadily assisting businesses in lowering their vulnerability to these kinds of attacks by providing:
- Round-the-clock Domain abuse monitoring for DNS, keyword, and typo-squatted registrations.
- Early-warning alerts and real-time phishing site detection to stop extensive harm.
- Monitoring of executive and brand misuse, including imitation of institutions and leadership.
- Both manual and automated takedowns are coordinated with hosting companies and registrars.
Conclusion
By posing as a travel agency and stealing the name of a government program, the domain digiyatra[.]in was deliberately abusing public confidence. This campaign served as an obvious illustration of how attackers compromised user data by leveraging deceptive design and authentic branding.
We highly encourage all users to avoid imitation websites, even those that appear secure through HTTPS, and to only use the actual DigiYatra Foundation website at hxxps://www[.]digiyatrafoundation[.]com.
Craw Security, which is the sister vertical of News4Hackers, highly renowned for delivering quality VAPT Services to all needy organizations, is still dedicated to using real-time detection, investigation, and coordinated response to protect the integrity of digital public infrastructure.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
About Author
English