Since 2021, a fake e-shop scam campaign has targeted Southeast Asia, with increased activity observed by CRIL in September 2022, expanding from Malaysia to Vietnam and Myanmar.
Attackers distribute a malicious APK via phishing websites, stealing user credentials through SMS and gaining more control by taking screenshots and utilizing accessibility services on victims’ devices.
New E-Shopping Attack
Cybercriminals initiated the fake e-shop campaign in Malaysia in 2021, posing as cleaning services on social media and persuading victims to contact them via WhatsApp.
The campaign directed users to download malicious APKs from phishing websites, particularly targeting login credentials for Malaysian banks such as Hong Leong, CIMB, Maybank, and others, showcasing an increasing trend of combining social engineering tactics with phishing attacks to pilfer banking information.
Cyble has observed the expansion of a fake e-shop campaign across Southeast Asia, where attackers employ phishing websites disguised as authentic payment gateways to distribute malware.
The malware delivers fake login pages to steal bank credentials, with the campaign targeting HD Bank customers in Vietnam through a website mimicking the bank’s online portal.
They utilized a command and control server to oversee the malicious operation. In Myanmar, the campaign employed a similar tactic, targeting various banks and using a Burmese language phishing page. Additionally, a new wave of phishing sites targeting Malaysian online shoppers has been detected, mimicking legitimate e-commerce platforms. These sites lack sophistication and only offer basic features, along with fake iOS download buttons.
The malware powering the scam has been updated to include features such as screen sharing and exploiting accessibility services to pilfer user data. The latest version specifically targets 18 Malaysian banks and employs two URLs: one for phishing and control purposes, and another for screen sharing functionalities.
More about this
The eCart malware camouflages itself as a shopping app while its true intent is to pilfer user data. Upon installation, it prompts for accessibility permission to execute automatic clicks and gestures.
It communicates with remote servers to initiate screen sharing and send logs, utilizing the Janus plugin to control gestures and obfuscate strings with Paranoid to hinder analysis.
The malware attempts to replace the default SMS app and obtain screen capture permissions, supplementing its functionality where screen sharing is not feasible due to misconfiguration, hinting at its potential for advanced attacks. This campaign employs fake e-shops to deceive users into logging in with stolen credentials, showcasing counterfeit products and utilizing a fake FPX payment page to extract banking information from 18 Malaysian banks.
According to Cyble, the attackers have enhanced their tactics by incorporating screen-sharing capabilities and exploiting accessibility services, indicating a broader target audience and a heightened data theft objective.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment