Since at least November 2021, threat actors have been distributing malicious apps disguised as shopping apps to target customers of eight Malaysian banks.
Cybersecurity firm ESET shared a report with details how the attacks were carried out by setting up fake but legitimate-looking websites to trick users into downloading the apps.
A pet store called PetsMore, as well as maid services like Maid4u and Grabmaid and cleaning services like Maria's Cleaning and Maid4u and YourMaid and Maideasy and MaidACall, were all imitated by the copycat websites.
As per ESET, "threat actors use these fake online store applications to phish for banking credentials." Malware operators receive all SMS messages containing two-factor authentication (2FA) codes sent by the victim's bank, thanks to the apps.
There are a number of financial institutions that have been singled out as possible targets, and they include Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.
To trick users into installing fake Google Play Store apps, the attackers use Facebook ads to spread the websites that direct them to malicious servers they control.
As a reminder, this attack relies on a potential victim's ability to enable the "Install unknown apps" option on their mobile devices in order for it to be successful. Even more alarming, there is no Google Play app for five of the most commonly abused services.
In order to place fictitious orders, the apps require users to sign in with their accounts after they have been launched, prompting them to make a money transfer from their bank accounts.
Direct transfer victims are presented with a fake FPX payment page and asked to select their bank from the eight Malaysian banks provided, and then to enter their credentials," ESET malware researcher Lukás tefanko said.
The campaign's ultimate goal is to steal the user's banking credentials and send them to an attacker-controlled server, while displaying an error message that the user ID or password entered is invalid
When bank accounts are protected by two-factor authentication, the fake apps are designed to access and transmit SMS messages received by the users to the remote server.
According to tefanko, "while the campaign is currently aimed solely at Malaysia, it may expand to other countries and banks in the future". In the short term, the attackers are looking for banking credentials, but in the long term, they may be able to facilitate the theft of credit card information.
Post a Comment
Your suggestions and comments are welcome