For many residents in Perth, finding a rental has become a high-stakes challenge. As demand for housing surges, a troubling trend has just been revealed. An Australian housing scam preying on renters who are willing to stretch every dollar to secure a roof over their heads. These rent scams, often orchestrated by individuals posing as private landlords on online platforms like Facebook Marketplace, have left victims financially and emotionally drained. 

The scheme typically begins with a seemingly genuine rental listing. Scammers steal photos from legitimate properties and post them online, offering rent well below the market rate. In Perth, median rental prices are at historic highs, with houses averaging $700 per week and units $670. Scammers exploit this stress by pitching “exclusive” opportunities that seem almost too good to be true. 

The Mechanics of the Australian Housing Scam 

Messages from these fraudsters are carefully crafted to manipulate potential tenants. One such message promises that the apartment will be “reserved exclusively only for you” in exchange for a security deposit or “commitment fee” of just a few hundred dollars. The deposit is presented as fully refundable or deductible from the first week’s rent. In reality, once the money is transferred, the scammer vanishes, leaving victims without the property and out of pocket. 

WA Commissioner for Consumer Protection, Trish Blake, describes the situation as a “perfect playground for scammers.” She explains that the perpetrators often groom their targets by appealing to their sense of urgency and personal integrity, portraying themselves as allies to those struggling in the rental market. “They’ll tell you that you’re a real battler, that you’re a good person, and that they want to help you out,” Blake said, as reported by Nine News. 

Rising Numbers and Financial Impact 

The scale of the problem is growing. In 2025, WA ScamNet, part of the Department of Local Government, Industry Regulation and Safety, documented 20 cases of rental scams, totaling losses of $51,875, a 27 percent increase from the previous year. Scammers typically provide a property address for drive-by inspections but evade any requests for in-person viewings. To add credibility, fake rental agreements featuring official logos may be used, and tenants are pressured to pay via bank transfer, bypassing safer, traceable channels. 

Rob Mandanici, a member of the Real Estate Institute of Western Australia, stresses the emotional pressure on renters. “People have pure desperation, and they will do what they can for their family, thinking they’re doing the right thing while potentially dealing with unsavoury characters,” he said. 

Commerce Minister Dr. Tony Buti noted the heartbreak of seeing renters targeted in this way. “It is particularly heartbreaking to see scammers targeting renters because they know they are under pressure and may take risks to secure a property,” he said. He advises tenants to insist on inspecting the property in person and to treat unusually cheap rent as a red flag. 

Why Perth Is Vulnerable to Housing and Rent Scams 

Several factors make Perth an ideal environment for this type of Australian housing scam. Rental vacancies are low, demand is high, and properties are snatched quickly, often in as little as 16 days. This scarcity creates a sense of urgency among renters, which scammers exploit. 

The Cook Government has issued repeated warnings to Western Australian tenants to remain vigilant, especially when dealing with private landlords or online marketplaces. Inspecting the property before paying, verifying the landlord’s identity, and consulting licensed real estate agents are critical protection methods. 

Several practical tips to avoid falling victim to rental scams include: 

• Be suspicious of properties advertised for well below market rent. 

• Do not rely solely on photos; perform reverse image searches to verify authenticity. 

• Check the property on reputable real estate websites and contact previous listing agents. 

• Avoid landlords or listings that use the same email address for multiple properties. 

• Always inspect the property in person before signing a lease or paying funds. 

• Ensure a formal lease agreement (Form 1AA) and keys are provided before transferring any money. 

• Be cautious with direct bank transfers; only pay verified landlords or licensed agents. 

Scams can be reported through the WA ScamNet website, or further guidance on rent is available via the Consumer Protection website. The Australian housing scam in Perth is more than a financial threat; it exploits human vulnerability in a market under immense pressure.  

Renters finding high prices and fierce competition must combine caution with diligence, balancing urgency with verification. While there is no substitute for careful vetting, awareness and education remain the most effective defense against campaigns like the Australian housing scam.  

References: 

• https://www.9news.com.au/national/perth-rentals-deposit-scam-targets-desperate-renters/b505ff04-a476-4478-b248-eb903ddd5c20 

• https://www.wa.gov.au/government/media-statements/Cook%20Labor%20Government/Rise-in-rent-scams-targeting-Western-Australian-tenants--20260129 

The post Desperate Perth Renters Targeted by Rising Australian Housing Scam appeared first on Cyble.

Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users.

The campaign primarily targets Indian vehicle owners via unsolicited SMS messages claiming an overdue traffic fine. The message includes a deceptive URL resembling an official e-Challan domain. Once accessed, victims are presented with a cloned portal that mirrors the branding and structure of the legitimate government service. At the time of this writing, many of the associated phishing domains were active at the time, indicating that this is an ongoing and operational campaign rather than isolated or short-lived activity.

The same hosting IP was observed serving multiple phishing lures impersonating government services, logistics companies, and financial institutions, indicating a shared phishing backend supporting multi-sector fraud operations.

The infection chain, outlined in Figure 1, showcases the stages of the attack.

Key Takeaways

• Attackers are actively exploiting RTO/e-Challan themes, which remain highly effective against Indian users.
• The phishing portal dynamically fabricates challan data, requiring no prior victim-specific information.
• The payment workflow is deliberately restricted to credit/debit cards, avoiding traceable UPI or net banking rails.
• Infrastructure analysis links this campaign to BFSI and logistics-themed phishing hosted on the same IP.
• Browser-based warnings (e.g., Microsoft Defender) are present but frequently ignored due to urgency cues.

A sense of urgency, evidenced in this campaign, is usually a sign of deception. By demanding a user’s immediate attention, the intent is to make a potential victim rush their task and not perform due diligence.

Users must accordingly exercise caution, scrutinize the domain, sender, and never trust any unsolicited link(s).

Technical findings

Stage 1: Phishing SMS Delivery

The attack we first identified started with victims receiving an SMS stating that a traffic violation fine is overdue and must be paid immediately to avoid legal action. The message includes:

• Threatening language (legal steps, supplementary charges)
• A shortened or deceptive URL mimicking e-Challan branding
• No personalization, allowing large-scale delivery

The sender appears as a standard mobile number, which increases delivery success and reduces immediate suspicion. (see Figure 2)

Stage 2: Redirect to Fraudulent e-Challan Portal

Clicking the embedded URL redirects the user to a phishing domain hosted on 101[.]33[.]78[.]145.

The page content is originally authored in Spanish and translated to English via browser prompts, suggesting the reuse of phishing templates across regions. (see Figure 3)

The Government insignia, MoRTH references, and NIC branding are visually replicated. (see Figure 3)

Stage 3: Fabricated Challan Generation

The portal prompts the user to enter:

• Vehicle Number
• Challan Number
• Driving License Number

Regardless of the input provided, the system returns:

• A valid-looking challan record
• A modest fine amount (e.g., INR 590)
• A near-term expiration date
• Prominent warnings about license suspension, court summons, and legal proceedings

This step is purely psychological validation, designed to convince victims that the challan is legitimate. (see Figure 4)

Stage 4: Card Data Harvesting

Upon clicking “Pay Now”, victims are redirected to a payment page claiming secure processing via an Indian bank. However:

• Only credit/debit cards are accepted
• No redirection to an official payment gateway occurs
• CVV, expiry date, and cardholder name are collected directly

During testing, the page accepted repeated card submissions, indicating that all entered card data is transmitted to the attacker backend, independent of transaction success. (see Figure 5)

Infrastructure Correlation and Campaign Expansion

CRIL identified another attacker-controlled IP, 43[.]130[.]12[.]41, hosting multiple domains impersonating India’s e-Challan and Parivahan services. Several of these domains follow similar naming patterns and closely resemble legitimate Parivahan branding, including domains designed to look like Parivahan variants (e.g., parizvaihen[.]icu). Analysis indicates that this infrastructure supports rotating, automatically generated phishing domains, suggesting the use of domain generation techniques to evade takedowns and blocklists.

The phishing pages hosted on this IP replicate the same operational flow observed in the primary campaign, displaying fabricated traffic violations with fixed fine amounts, enforcing urgency through expiration dates, and redirecting victims to fake payment pages that harvest full card details while falsely claiming to be backed by the State Bank of India.

This overlap in infrastructure, page structure, and social engineering themes suggests a broader, scalable phishing ecosystem that actively exploits government transport services to target Indian users.

Further investigation into IP address 101[.]33[.]78[.]145 revealed more than 36 phishing domains impersonating e-Challan services, all hosted on the same infrastructure.

The infrastructure also hosted phishing pages targeting:

• BFSI (e.g., HSBC-themed payment lures)
• Logistics companies (DTDC, Delhivery) (see Figures 7,8)

Consistent UI patterns and payment-harvesting logic across campaigns

This confirms the presence of a shared phishing infrastructure supporting multiple fraud verticals.

SMS Origin and Phone Number Analysis

As part of the continued investigation, CRIL analyzed the originating phone number used to deliver the phishing e-Challan SMS. A reverse phone number lookup confirmed that the number is registered in India and operates on the Reliance Jio Infocomm Limited mobile network, indicating the use of a locally issued mobile connection rather than an international SMS gateway.

Additionally, analysis of the number showed that it is linked to a State Bank of India (SBI) account, further reinforcing the campaign’s use of localized infrastructure. The combination of an Indian telecom carrier and association with a prominent public-sector bank likely enhances the perceived legitimacy of the scam. It increases the effectiveness of government-themed phishing messages. (see Figure 9)

Conclusion

This campaign demonstrates that RTO-themed phishing remains a high-impact fraud vector in India, particularly when combined with realistic UI cloning and psychological urgency. The reuse of infrastructure across government, logistics, and BFSI lures highlights a professionalized phishing operation rather than isolated scams.

As attackers continue shifting from malware delivery to direct financial fraud, user awareness alone is insufficient. Infrastructure monitoring, domain takedowns, and proactive SMS phishing detection are critical to disrupting these operations at scale.

Our Recommendations:

• Always verify traffic fines directly via official government portals, not SMS links.
• Organizations should monitor for lookalike domains abusing government and brand identities.
• SOC teams should track shared phishing infrastructure, as takedown of one domain may disrupt multiple campaigns.
• Telecom providers should strengthen SMS filtering for financial and government-themed lures.
• Financial institutions should monitor for card-not-present fraud patterns linked to phishing campaigns.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure appeared first on Cyble.