On May 2nd Indian Central Railway Authorities arrested a 32-year-old man who used alleged software to book tatkal train tickets.
According to reports the authorities have seized around 6000 e-tickets which is value around Rs 1.5 crores ($223,000).
The accused operates a network of 5,400 agents across the country to whom he rented the software for Rs 700 per month to book train tickets.
Attacker utilized a flaw in ticket reservation system which allowed agents to book multiple tatkal tickets in a single click. Once installed agents need a username and password which will be provided by the attacker.
According to officials, the agents can open multiple windows at the same time in which the data like passenger information, train detail and mode of payment will be filled before the booking time opens.
Once booking opens in a single click the software will bypass IRCTC captcha and bank OTPs which allow agents to book ticket quickly.
Usually, it takes more than one minute to book a single tatkal ticket but by using this software agents can book multiple tatkal tickets in less than one minute.
According to Prof(Dr)Triveni Singh, Addl. SP (Cyber Crime), STF, UP Police “Through these software agents only used to fill passenger and train details along with the mode of payment, and the multiple booking happened automatically at a single click. The software even bypassed security features like CAPTCHA fields that are added to a website to check if a user is human or an automated programme. “
“Built-in features in this illicit software included: Captcha Readers ( OCR based), paid Proxy IP services, Direct inward Dialled numbers based on VoIP architecture, OTP bypassing mechanisms, Robo ( Auto Form Fill ), Payment Gateway and eWallet services on fake KYC, complex chain of Indian and Foreign servers. Software developers and super, retail sellers were in touch on virtual numbers and used to install App on merchant system through RAT tools.”
Read more on: New Cyber Espionage Campaign ZooPark Targets Middle East
The raid was conducted by a combined team of Railway Police Force (RPF), Crime Intelligence Branch (Panvel) and the anti-tout squad of Chatrapati Shivaji Maharaj Terminus and Oshivara Police in Jogeshwari (West).