Monday, 15 November 2021

Phishing at its worse!

I came across this post on facebook, written by a chap called Smith Ang. I thought it is significant enough to warrant a reproduction on my blog. The incident shows that you cannot trust seemingly innocent posts on the Internet nowadays, social media included. We have to be very careful about the information we disclose. So this is the facebook post in question....

This is the Most Sophisticated Phishing I've seen so far. And it happened to me minutes ago.

Part 1: The Bait- Creating the Perfect avenue 

I've been searching for cleaners, and Facebook prompted one of the ads that caught my attention. Promotion! Who doesn't like a good 50% promo 🙂

Part 2: The Hook- The power of "Call To Action"

The "Call To Action" of the ads will bring you directly to the "vendor" WhatsApp. As you can see in the WhatsApp chat, I was asked to download an App, an APK file to be exact. Rarely do vendors ask their customers to download APK files directly, Most will give you a link to the official app store. (Tip1: Don't trust anyone that sends you .APK file. That doesn't mean the official app store is safe either)

Part 3: The Trojan

After installing, the app requested SMS read permission. Huh? Why do you need that for a Maid Booking App? (Tip2: If App request permission for something more than it should, then it shouldn't)

Part 4: Intel Gathering

The App is well-built, even had its PDPA disclosure done correctly. The registration info required are Name, Email, Password, Mobile Number. Upon finding the date and package I wanted, I had to key in my address. 

Part 5: The Bank

Now come to the part where I have to make payment. Conveniently, the credit card payment is grayed out ("Under maintenance"), the only option available is FPX. There are a few banks to prey on: Maybank, Affin, Public, CIMB, BSN and RHB. After selecting the desired bank, a very familiar bank interface appears in front of you. If you see the Maybank UI, there is a note:- "Note: you are in a secured site" that replaces the catchphrase. (Tip 3: Hmm... will a thief tell you he is not a thief?)

Okay, so when filling up the bank login detail, no matter what you put in, it will always show "Invalid User ID or Password [Err Code: FE0067]. Now, this gibberish error code is the same for all the banks you selected. Don't tell me all the banks are using the same system developer? I had a bad feeling, but I brushed it off as I was too tired.

Part 6: Heist

The next day, I received the SMS:

RM0 PBe DO NOT share this code. DuitNow Transfer RM4,860.00 to NOORALIF SAFWA.
S/N: DC0334071 
PAC No: 
12Nov21 14:52 
For enquiry, pls call 03-21799999

I immediately log into my bank account, and I receive the "Duplicate Login" and there, what I suspected. Without hesitation, I spring into quick finger mode. I was fighting access with the intruder for the login rights. Whenever I tried to change my password, it will be logged out. Years of playing Speed Typing games during my younger days boosted my typing speed +99999. I won the login match and changed the password. (Tip 4: Don't wait, stay calm and secure the situation)

Part 7: Data Exposure

So what is the data that was exposed by using this app?

1. Name
2. 3. Phone Number
4. Email Address
5. Mobile Phone
6. Address
7. Bank User ID
8. Bank Password

This is a very sophisticated operation. Why?

1. It prays on our (mainly me la) weakness- Got Promotion ah?

2. The entire scam ecosystem is well planned- From the curation of the Marketing and Advertisement to the almost flawless APP.

Note: 

For those who are unaware, when you allow the app permission to read your SMS, this will include the incoming PAC/OTP code that your bank sends (SMS) to you for dual-factor authentication.

So this is my adventure on the 12 of Nov 2021.

Enjoy reading and be careful.

No comments: