I recently wrote a diary on the SANS Internet Storm Center about the evolving nature of digital scams.

Please click here to read the full diary entry. Alternatively, the full diary is reposted in full below.

Considering the global turbulence from destabilizing events such as physical conflicts, freak weather and pandemics, financial wealth has never been more critical for a nation and its citizens so that daily life can continue. Money is needed for daily necessities such as food, medication, appropriate clothing and fuel. When faced with unexpected events such as retrenchment and newly detected health issues, citizens would also have to tap on the monetary buffer that should have been built up during less challenging times. Considering the current state of international affairs and employment prospects, one potential way to disrupt a nation’s peace and stability could be stealing their citizens’ monetary savings via financial scams and fraud.

Unlike conventional cyber-attacks such as phishing, where adversaries target to harvest credentials to gain access to accounts, digital scams aim to bypass the harvesting of credentials but instead attempt to convince the victim to authenticate and part with their assets directly. A multitude of factors could cause this change. For example, end users have gotten savvier about phishing attacks and stopped interacting with such messages that try to masquerade as a well-known entity (e.g. shipping companies/social media sites). Applications could also have implemented additional security controls such as two-factor authentication (2FA), preventing adversaries from directly using credentials to authenticate with the target application. The main issue is that adversaries are likely to employ some means to wire away a victim’s hard-earned money and keep on doing so should these tactics be successful.

There have been a few notable case studies where adversaries do not simply send phishing messages but also pray on victims’ psychological weaknesses and informational blind spots. I was made aware of such an incident that was reported to me privately about 60 hours ago, where an adversary attempted to masquerade as a charitable organization. In this particular incident, the charitable organization had a legitimate and actual event that had been scheduled. There were also corresponding marketing materials with Quick Response (QR) codes embedded in the posters. Participants could register for the event by donating any amount via the QR code (using the local Singapore QR code payment system) and sending the receipt to a number shown on the poster. Most event details were correct; even the e-mail address shown was legitimate. However, upon closer inspection and after some analysis, it was determined that the actual event had already been held, and the QR code used for payments pointed to an account not affiliated with the charitable organization. Meanwhile, the “semi-fictitious” event had been circulated via popular messaging platforms such as Telegram. It is unclear if anyone made any payments to the monetary account that the scammer set up, but the original message had been removed.

Another recent attack that led to victims losing their money was the installation of third-party mobile applications that were not downloaded from legitimate and trusted mobile application stores. For example, in this unfortunate incident, the victim was left with only about ~US$2.95 (S$4) in the bank account after unknowingly installing a purported update to a mobile application [1]. The Federal Bureau of Investigation (FBI) also issued a Public Service Announcement (PSA) about cyber criminals targeting victims through mobile beta-testing applications, which could lead to monetary losses [2]. This was also highlighted in the Wednesday, August 16th 2023, SANS Internet Storm Center Stormcast [3].

Security controls can only do so much in preventing such unfortunate incidents. Due to financial challenges, not everyone can afford the latest phones, which may come promised with security support. Depending on the vendors, certain phones may not even receive timely security patches, and adversaries could tap into those vulnerabilities to perpetuate their digital scams. It could also be user-induced due to the removal of security controls designed to secure phones (e.g. rooting (for Android) or jail-breaking (for iOS)). There is room for research on possible ways to disrupt and deny adversaries who perpetuate such digital scams while factoring in current technical limitations and scenarios. However, without any technological implementation, awareness of these digital scams is paramount as a first step towards foiling such attacks. No doubt such attack techniques may seem trivial to cybersecurity professionals since we are aware of such dangers, other individuals may not fully understand the potential dangers of such digital scams. It would be worthwhile to consider having conversations and greater awareness about these digital scams in your organization and among friends and families.

1. https://www.asiaone.com/singapore/only-4-left-single-mum-loses-28k-after-phone-gets-hacked-realises-she-has-2-chromes
2. https://www.ic3.gov/Media/Y2023/PSA230814
3. https://isc.sans.edu/podcastdetail.html?podcastid=8618

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.