researchers from IT security identified malicious apps used to steal banking credentials of clients of eight Malaysian banks. Experts shared the details of this deception as a preventative measure as this technique could be replicated around the world.
Cybercriminals are trying to steal Banking data using fake websites that pretend to be legitimate services. They typically use domain names very similar to official services and also directly copy the original site design to go unnoticed, explain from Eset.
This campaign was first identified in late 2021. Then the hacker they pretended to be the legitimate Maid4u cleaning service. The hoax was distributed via Facebook ads, asking potential victims to download the app, which actually contained malicious content.
In January 2022, MalwareHunterTeam shared information about three other malicious sites and trojan for Android attributed to this campaign. Beyond that, Eset researchers found four other fake websites. All seven sites have faked services available only in Malaysia: ssix of them offer cleaning servicessuch as Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, mientras que ethe seventh is a pet shop called PetsMore.
These fake websites don’t offer the option to buy directly through them. Instead, they include links for supposedly downloading apps from Google Play.. By clicking on these links, the user is not actually redirected to the official Google store but to servers controlled by cyber criminals.
“To be successful, this attack requires the victims enable the “Install unknown apps” option on your devices, which is disabled by default. It is worth mentioning that five of the seven legitimate versions of these services do not even have an application available on Google Play ”, highlighted Camilo Gutiérrez Amaya, head of the Research Laboratory of Eset America Latina.
To appear legitimate, apps ask users to sign in once they are opened. The software accepts any user input and always declares it correct. While maintaining the appearance of a real online store, malicious applications pretend to offer products and services for purchase using an interface similar to that of the original stores.
When it comes time to pay for the purchase, victims are presented with two payment options: they can pay by credit card or by bank transfer.
Thus, the attackers obtain the banking credentials of their victims. After choosing the direct transfer option, victims are presented with a fake FPX payment page and he is asked to choose a bank from eight Malaysian banking options and then to enter his credentials. The banks targeted by this malicious campaign are Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia and Hong Leong Bank.
After victims submit their banking credentials, they receive an error message informing them that the username or password they provided is invalid. At this point the entered credentials have already been sent to the malware operators.
To make sure that the operators behind this campaign can get into their victims’ bank accounts, the fake online store apps also forward any SMS messages the victim receives to the attackers in case any of those messages contain the code. (2FA) sent by the bank.
According to the research team, this malware campaign has so far only targeted Malaysia: both the online stores it impersonates and the banks targeted for stealing customer credentials are from Malaysia, and the prices of the Apps are displayed in the local currency, the Malaysian Ringgit.
To protect yourself from these types of threats, you should do the following:
1. Access only legitimate websites. Do not enter from links received or seen on networks as you may be redirected to a fake page
2. Be careful when clicking on ads and do not follow the results offered by paid search engines as they may not lead to the official site.
3. Pay attention to the source of the applications you are downloading. Make sure you are redirected to the Google Play Store when you receive an app.
4. Enable two-step verification whenever possible. UP this note explains how to do this in detail, both in the mail and in social networks and other accounts.
Instead of taking SMS as the second factor; It is convenient to opt for the use of codes that come from applications such as Google Authenticator or physical keys.
5. Keep the software up to date.
6. Use a security solution.