The Uttar Pradesh police have busted a cyber-gang that was hacking into the website of the State’s road transport corporation and booking online tickets without payment.
Four persons, including two minors, were arrested by the Special Task Force of the State police on Friday. The two adult accused were identified as Amit Kumar Bharti and Mudit Sharma, both from Kanpur.
The matter came to light after the Uttar Pradesh State Road Transport Corporation (UPSRTC) complained that it was not receiving payment in accordance to the number of online bookings made on its official website. This had been going on for several months, police said.
The gang was busted after an operation by the U.P. STF. The accused had been exploiting the vulnerabilities of the online payment system of the UPSRTC website to book counterfeit e-tickets though a web application security testing software called ‘Burp Suite’, police said. They would then sell these tickets to common people at discounted rates through networks on WhatsApp groups and Facebook.
“Through Burp Suite, a ‘man in the middle attack’ [technology] was used to tamper with the payment confirmation data going to the UPSRTC through payment gateway,” the STF said in a statement. Even when no payment was made, the website would allegedly get a fake successful payment confirmation.
Amitabh Yash, IG STF, told The Hindu that the accused were exploiting some “flaws in the payment gateway of the bank”, which have been now patched up.
Guru Prasad, the managing director of UPSRTC, said the hackers had caused it a loss of ₹9.42 lakh. The accused will face charges for cheating and under Section 66D of the IT Act.
With a fleet size of over 11,833 buses, the UPSRTC operates over 24. 54 crore kilometers, catering to the travel needs of over 10.38 crore people, as per its website.