Lately, there is a lot of reports about people losing their bank money. These people have something in common.
1. They are from the certain bank;
2. They lost the money due to phishing;
3. Sum involved is pretty large; in terms of tens of thousands and in some cases, more than SGD$100,000;
4. They all receive an SMS that is using the bank's ID; and
5. They are unaware that they have been phished;
What is phishing?
It is a fraudulent practice of attackers sending emails or SMS using the name of reputable companies in order to get the victims to reveal their personal information, such as passwords and credit card or bank account numbers.
How do they get phished?
In the present context, the attackers were sending SMS messages under the name of the bank. This led to the victims believing that the message was sent by the bank. Usually, these phishing messages will require the victims to click a web address. For example, in this SMS message shown attached, the victims must be very surprised to receive the SMS that said a payee account of an unknown person has been added. And if the victims never knew who is Mr Jones, they would normally click the link "ocbc-help.com" to find out. That site listed is actually the phishing website.
Once the user is at that phishing webpage that will look exactly like the bank's webpage, the victim will unsuspectedly enter their user name & password like usual in order to find out what went wrong.
How does the attacker send SMS under the Bank's IDs?
All the attacker needs to do is to change the sender's ID in the SMS to the one that matches the bank's ID. Normally, this is not possible using handphones as many countries disallowed such practices. If we open our SMS, we will find that there is no way to change the sender's ID.
But, the attacker can always use other means to send SMS to the victims' phones. This is because phones today are using digital signals to send and receive voice & messages. There are many service providers in the market that can send SMS using other means such as a PC. One of them available in many countries is called "Exotel". This service is using iCloud. It is believed this kind of service has not been regularised. For some reason, the service provider allows users to change the sender's ID.
Why Can't the Government Block the Service?
There is no reason why Government cannot issue directives to cellular partners and providers to block this kind of service. But it is believed that this will not help much as attackers will always come up with other means to negate the block and carry out their phishing business in other ways. Also, there will be many difficulties trying to track down and get rid of these attackers because they are likely to be overseas.
Whatever the Government can do will be rather limited. But one thing is for sure, no matter how much the Government could do to stamp out bank phishing, it will not solve the root problem of people being greedy & curious and can be easily lurked to reveal their personal information.
How does the attacker transfer the money out of the bank?
No one really knows how the attacker transferred the money out of the bank. One possible scenario could be as follows:-
Take the above SMS about MR C. JONES, for example, the attacker would have expected the victim to key in the user name and the password and click the "login" button when he lurked the victim to the phishing page. This might have established a network link.
When the attacker requested a bank transfer using the user ID and the passwords (given earlier by the victim), the bank would, as usual, send out an OTP message to the victim for which the attacker would have also received at the same time. Once the attacker is inside the victim's digital account, they will be able to do many things including silencing the subsequent SMS notifications. By the time, the victim noticed there were something wrong and contacted the bank to find out what had happened, the attacker must have already transferred the money out of the victim's account.
There were reports about some victims did not even receive an OTP because the attackers' software could have intercepted and masked out the SMS message sent out by the bank.
How does the Attacker Withdraw Above the set Limits?
This is one other question that most people would like to know. Usually, there is always withdrawal limits set either by the bank or the users. Once the limit is breached, the users will get at least an SMS prompt or the bank will intercept and stop the transaction.
One possible answer is that since the attacker already has full access to the victim's digital account, he can always change the withdrawal limits. He could also change the limits that will require the token confirmation or SMS notification as shown inside the apps of this bank.
Why Can't the Bank Strengthen their Systems?
There is also no reason why the banks cannot strengthen their checking, verification and messaging system for large sums of money to be transferred out of an account. This was one of many points that many victims have raised. They blamed the banks for the loss of their money.
Usually, the banks would have multiple checking & verification systems in place. Maybe all these safeguards are still not 100% foolproof. The banks should therefore carry out throughout investigation and find out whether they could further strengthen their checking & verification systems.
The banks are relying on an SMS system which is not very secure. They should consider using a better messaging system.
What the users could do to prevent future happening?
There are a few good suggestions thrown around in the forums.
Recommended
1) Never trust any SMS or email messages and do not click any links in the SMS or email, especially those from the banks. Always use only the Bank's Apps for inputs and entries;
2) Always check if the web address is correct; If one must access the internet banking site, always use the one saved in the bookmark & never the one in banking SMS site or in the email;
3) Always log out using the apps and clear the cache after use;
Other Suggestions
1) Use 2 devices, one for banking transactions which could be the iPad or PC and use the phone only for receiving OTP SMS. But this method will not help if the attacker already has the victim's user ID and passwords;
2) Always test the site first by entering a false password and user ID. Phishing webpage will never be able to correct any wrong entries. But this method will allow also the attacker to upload their spyware into one's phone;
3) Never be lured to fake pages that offer attractive rewards, like lucky draws, job offerings or the like or any news about new notes or otherwise. This is easy said than done. Some people will find it difficult to resist such temptations.
I) The Zero Click Attack- the Pegasus Spyware
There is a report in Guardian about this new spyware which has become more advanced and powerful. It was developed by NSO group which is an Israeli company. This spyware called "Pegasus" has the capability of doing a "zero-click" attack.
Conventional spyware will require phone users to click a button on a webpage for the spyware to be uploaded to the phone. This Pegasus spyware only needs to place a WhatsApp call to the target device for the spyware to be installed. Once it has been installed, the spyware will be able to copy messages, photos and record one's call on a 24/7 basis. It might even turn on the phone's camera, activate the microphone to record conversations. report where we are and who we have just met etc.
Understand Pegasus spyware is presently only available for use by Government agencies. The setup price will be more than USD$300,000 as reported by the India Times.
II) Money Gone within Minutes
No comments:
Post a Comment