Friday 29 Mar 2024
By
main news image

This article first appeared in Digital Edge, The Edge Malaysia Weekly on October 10, 2022 - October 16, 2022

In the 1990s, when cybercafés were a booming business and most people were starting to have regular access to the internet, an email commonly found in most inboxes was from a Nigerian prince, claiming that in order to smuggle a large sum of money out of his country, he needed your help to transfer some money to another account. In return, you were promised a generous kickback.

We can laugh about the absurdity of this financial scam today but in reality, a large number of people are still falling for it, becoming prime targets for cybercriminals. In 2018, Americans lost US$703,000 to these types of fraud, according to a report by ADT Security Services, which added that the Nigerian letter-style scams have cost victims an average of US$2,133.

Nearly three decades on, these scams have grown in sophistication. Most Malaysians are accustomed to receiving messages from people claiming to be employees of a large company such as Amazon or Shopee and offering part-time jobs with salaries that are too good to be true. While some scams are targeted at a certain age group, this scam has reached Malaysians of all ages.

Inspector-General of Police Tan Sri Acryl Sani Abdullah Sani was quoted in the news as saying that a total of 12,092 online fraud cases with losses amounting to RM414.8 million were reported from January to July this year, reaching a new peak.

Cybercrime has been on the rise in Malaysia. There were 13,703 cases amounting to RM539 million in losses reported in 2019, followed by 17,227 cases with losses of RM511.2 million in 2020, and 20,701 cases with losses of RM560.8 million in 2021.

Bank Negara Malaysia has taken a stern stance on the matter, ordering financial institutions to migrate from the one-time password (OTP) system to more secure forms of authentication for online transactions, as part of efforts to curb online scams.

Based on cases managed by the Bukit Aman Commercial Crime Investigation Department, there are seven main forms of cyberfraud: online purchase, non-existent loan, online investment, Macau scam, African scam, business email compromise (BEC) and SMS fraud.

Social engineering is the most common approach adopted by cybercriminals these days, as the return on investment is usually the highest compared to other more complicated techniques, says Arthur Ng, Malaysia country manager for cybersecurity solutions provider Check Point Software Technologies. It has a lower barrier to entry as less technical skills are required of the perpetrator.

With the prevalence of online gaming platforms, Ng says things like game subscription passes and in-game purchases have been inadvertently linked to online payment systems, providing access for malware for malicious actions. When game credits are linked to cash from the real world, personal information such as credit card information and personal identification could be stolen and gamers would become more susceptible to online scams.

“Phishing attacks are most widely used to gain the trust of gamers, be it via an email, web phishing or even ‘smishing’ (SMS phishing),” he says.

“As mobile gaming is booming these days, more sophisticated attacks are being introduced to target mobile devices. The current mobile malware landscape is a minefield with more vulnerabilities being exploited and spyware software being deployed through the mobile application stores.

“Notorious examples such as the Pegasus and Predator spyware top the list. These ‘zero-click attacks’, as the name suggests, are attacks requiring no input from the victim before deploying malware by exploiting vulnerabilities in already installed apps, and these are being seen globally.”

Enterprises are not spared as well. Oluwaseun Medayedupin, who was arrested by the Nigerian police in Lagos in November 2021, had pursued “disgruntled employees” from US companies, pushing them to release ransomware in internal enterprise servers. He had sent out phishing emails for this operation, promising accomplices US$1 million in Bitcoin, or a 40% cut of the total earnings.

The most recent attack was seen on Australian telecommunications giant Optus, where data of up to 10 million customers — including home addresses, drivers’ licences and passport numbers — had been compromised in one of Australia’s biggest data breaches.

Cybersecurity company Palo Alto Networks has set up a division called Unit 42 to stay ahead of cybercriminals but the reality is that as technology becomes more advanced, cybercriminals are becoming more sophisticated with their attacks and hacking tactics.

Unit 42 is a team of security consultants who manage complex cyber risks and respond to advanced threats, including nation-state attacks, advanced persistent threats and complete ransomware investigations.

“It’s a cat and mouse game. When cybercriminals see tech developing and are able to detect the use of deep tech, they find ways to bypass certain traditional technologies,” says Vicky Ray, principal of Unit 42 threat intelligence, Asia-Pacific and Japan at Palo Alto Networks.

“In my opinion, anti-viruses are dead, unless certain anti-viruses are built with the security level of the next generation. This is where we talk about a transition from anti-viruses to endpoint detection and response (EDR) and extended detection and response (XDR).”

EDR and XDR security solutions provide endpoint protection as well as threat detection, investigation and response by using threat intelligence and data analytics to automate security operations.

A decade ago, cybercriminals would hack an enterprise’s system and send out emails with a phishing link to lure victims, but that is not the case anymore, says Ray. The transition to more sophisticated scams took a while to develop but now, data and access to companies’ servers are readily available on the dark web.

This means a lot less work for cybercriminals, he adds, as it has become a big cybercriminal business ecosystem where some groups are providing access to other groups.

“If one becomes a BEC criminal or a ransomware gang affiliate, all they would need to do is to go to the dark web or some underground forums and see who’s selling what data or technologies, with some selling access to networks of enterprises,” says Ray.

“This means cybercriminals don’t have to hack into the networks themselves. They just need to take the information or expertise from other players who have already hacked into the systems and have maintained access. So the sophistication, of course, has advanced, in a way.”

Globally, 2,566 organisations’ data was leaked on the dark web this year, an 85% increase from last year. Ray says organisations need to be constantly alert to understand the capabilities of cybercriminals in attacking individuals and organisations alike, making sure that the technologies developed can identify and prevent these attacks.

“We are building things that are able to thwart whatever tech these cybercriminals are building. We are also keeping track of them, so we have a good understanding of how this is transitioning, what kind of tools they are using to attack and what are the tools that are supposedly hard to bypass, and we are working hard to ensure that those tools are detected wherever they are used,” says Ray.

‘Hi, would you like a part-time job?’

Shopee Malaysia has been misused as a popular bait by cybercriminals to offer people flexible part-time jobs with high salaries. Shopee has carried out constant awareness campaigns, informing the general public that the company would never reach out via WhatsApp or SMS to offer jobs.

Some scammers have taken these Shopee scams to a new level by adding phishing links to get people to click on them. Some have also impersonated Shopee agents in an attempt to seem legitimate.

The latest trend is the use of links to get users to download an Android Package Kit (APK), which is more dangerous, said Zurkarnain Mohd Yasin, chief regulatory officer at Malaysian Communications and Multimedia Commission (MCMC), at Shopee Malaysia’s Celik Jenayah Siber online forum in July.

APK is the file format for applications used on the Android operating system. Some apps, which are not available on the device’s app store, can be downloaded using an APK, although most operating systems warn against it.

Zurkarnain said cybercriminals target a device to hack a person’s WhatsApp account and send an APK link to take over a person’s device, which is worryingly easy.

“This is why whenever someone asks to ‘PM tepi’ (message privately), be wary because that’s when the scammers will send the APK link. Most of the time, it’s said to be a link to register for investments or jobs, but in reality it’s just a means to collect a person’s information.

“Sometimes when we click on the link, it will ask for permission to access information on the device, and if we’re not sure what we’re clicking, it is very dangerous because the person on the other side can steal our identities and start asking our families and friends for money.”

Zurkarnain added that granting access to a device will also allow cybercriminals to access other content, like photos and apps, which they can use as a means to threaten the victim. “These scammers exploit our vulnerabilities and human emotions, in the hope that the victims would succumb to it.”

MCMC has three main roles, said Zurkarnain, one of which is to prevent these scams from happening by blocking websites or mobile applications that are fishy. The commission can also take regulatory action and cancel a telephone number’s registration.

“To date, 1.3 million suspicious prepaid mobile numbers have been taken down. When we carry out audits, we know that these phone numbers were used to carry out crimes such as scams or online gambling,” he continued.

At a technical level, Zurkarnain said MCMC is developing the industry’s interface to block overseas calls, like the ones used for Macau scams. To date, it has blocked 1.6 billion calls at the network level from entering the country.

“However, despite all the preventive and defensive measures from the aspect of law and regulation, scammers can still overcome these hurdles and are still ahead, even after we have intervened.

“They know how to manipulate the system and find ways to reach users and victims, whether it’s via calls, SMS or WhatsApp, so we all need to stay vigilant against these kinds of interactions.”

Shopee has also reiterated that it does not use third parties or agents to hire new workers via SMS. It also would not ask applicants to deposit money to join the company, and people can call its customer service if they want to report an incident.

Don’t be an ‘ass’

Having the same concept as drug mules, mule bank accounts typically belong to a middle person and are used by scammers as decoy accounts to pass money through, so the scammers themselves evade being detected.

Scammers typically would ask people to rent their accounts for a fee. The scammers would then get a scam victim to transfer funds to the mule account, after which it would be immediately transferred out to other accounts belonging to the scammer. In the event the victim reports the account, the unsuspecting middle person would be penalised.

Mule accounts are illegal in Malaysia. Hasjun Hashim, head of Bank Negara’s Pulau Pinang branch, shared during Shopee’s forum that scammers are sly when it comes to finding ways to go undetected as the use of their own account would lead the authorities to the entire scam syndicate, thwarting their operations.

The primary target for mule bank accounts are students as they need the money and do not know the repercussions of renting out their bank accounts. “As the account owner, we are subject to the terms and conditions and we should know what is happening in our accounts. Bank Negara and banks have tightened the rules to open an account, asking for relevant documentation to do so,” said Hasjun.

What is even more concerning is that there are instances where a person’s account has been used as a mule account without their knowledge. This is common for loan scams, said Hasjun, where the scammers play on victims’ vulnerabilities and force them to surrender their ATM cards in return for a monetary loan.

“If the victim doesn’t have an account with an ATM card, the scammers would usually ask them to set up an account in order to receive the payment,” she said.

Hoping to prevent others from being duped, the police have come up with the Semak Mule website, listing accounts that are used for dodgy activities. Hasjun said if anyone is unsure about transferring money to someone else, use the website to check if the account has been flagged for any reason.

Incognito syphoning of gaming data

Gaming is one of the world’s largest entertainment industries today, with hundreds of thousands of new accounts being created and new communities born. Southeast Asia was said to have 250 million mobile online gamers last year, and the figure is set to grow. The region is also one of the fastest growing gaming markets, generating US$4.4 billion worth of game revenue in 2019, with mobile gaming accounting for just over 70% of the revenue.

Gaming is one of the major targets of cybercriminals because gamers often hand over as much personal information to gaming companies as they would to their employers, banks or e-commerce platforms. CD Projekt Red, Electronic Arts and Ubisoft are but some gaming behemoths that have fallen victim to cyberattacks.

Cybercriminals tend to target gamers to steal their virtual assets to sell for real-world money, to appropriate games from their inventory, and to gain as much information about gamers as possible for identity theft and bank fraud.

Many games are published, sold and authenticated online via platforms such as Steam, Origin and GOG Galaxy. Major vulnerabilities have been reported in the popular Valve games networking library, which if exploited could take over hundreds of thousands of computers without needing users to click on phishing emails, as the victims would become vulnerable simply by logging on to a game.

Gamers typically manage all of their purchases from a single account, and long-term users are known to have libraries with hundreds of games. Cybercriminals will sometimes hack into these accounts to steal some of the games for their own use.

Termed supply-chain attacks, they originate from gaming applications or platforms, says Check Point’s Ng. Such attacks have also occurred outside of the gaming industry.

Gaming companies need to consider their cybersecurity strategy seriously, especially when gamers’ sensitive personal or payment information is involved, he adds. Gamers have limited visibility in these areas, hence they should take the necessary precautions and only install or transact over reputable applications.

“Other means gamers can use to protect themselves include leveraging endpoint protection on mobile devices using mobile threat defence applications (MTD), which is just as important as the anti-virus and EDR tools on a personal computer,” says Ng.

MTD is a sophisticated, dynamic protection against cyberthreats targeting mobile devices. With MTD, protection is applied to devices, networks and applications, and would help gamers prevent phishing attacks as well as rogue application installations on their mobile devices.

Many users tend to turn to application stores to help keep their devices secure. Unfortunately, there are apps that claim to help manage security risks but actually contain malware themselves, says Ng.

Even though established and legitimate stores such as Google Play Store and Apple App Store set high security standards for new application provisioning, resourceful cybercriminals continually try to bypass these security measures. Ng says threat actors are evolving and constantly seeking ways to inject and drop malware by any means possible, including disguising themselves as legitimate “official” apps.

“Check Point researchers recently analysed suspicious applications on the Google Play Store and found a few of them masquerading as genuine anti-virus solutions. In reality, once downloaded, the apps would install an Android Stealer called ‘SharkBot’, which steals credentials and banking information.

“In February 2022, an Android banking Trojan called ‘Xenomorph’ was spotted lurking behind a fake productivity application on the Google Play Store. There were over 50,000 downloads,” he ads.

Here’s where mobile threat defence solutions are handy. One of Check Point’s solutions for consumers and corporates uses real-time threat intelligence to actively guard against zero-day phishing campaigns, and URL filtering to block access to known malicious websites from any browser. It also enforces conditional access, ensuring that if any device becomes infected, it is unable to access corporate applications and data.

The dark business of being a smooth criminal

The dark web is where the cybercriminal business thrives. Palo Alto’s Ray says that the criminal business ecosystem on the dark web is a proper one, where professionalism is upheld.

Notwithstanding the irony, ransomware gangs are very professional yet assertive when negotiating ransom payments or sharing assets with other criminals, he adds.

The cybercriminals that are present in this ecosystem mostly target organisations or governments as these are the more profitable sectors where they can earn millions of dollars through one ransom.

“A lot of scams that you see are about stealing people’s data. Many of us wonder, ‘How profitable can my data be? It’s just an email address, IC number or passport number.’ But this is a major misconception because the dark web sells thousands of data at a high price and with that data, scammers can commit other fraud, be it tax or property fraud, among others,” says Ray.

“Even passport scans are valuable. When we go to hotels and give our passports [to be scanned at check-in], these hotels can be a target to syphon the passport data. Some of these hotels don’t secure their personally identifiable information (PII) data, resulting in the passport scans being stolen and sold.

“There are services where people actually offer fake passports to other criminals. It is a chain reaction, how the data of a single person, maybe in Eastern Europe or even in Asean, can be abused by these malicious actors.”

Clamping down on cross-border scams a difficult feat

There are also instances where people get calls or messages from foreign phone numbers, mostly via WhatsApp. In these instances, MCMC’s Zurkarnain said a telecommunications company may have already cut the phone line and blacklisted it, but it can still be used to operate a WhatsApp account.

“We don’t have control over foreign numbers. What we at MCMC do is report the number to the respective tech company, and in this case of WhatsApp, it’s to Meta, that a phone number is being used for scams. But from a law jurisdiction perspective, that’s as much as we can do,” he said.

“We can only hope for good cooperation with these companies.”

In neighbouring countries, there are cases where scammers impersonate the authorities as a means to intimidate and subsequently, scam funds from potential victims. In these cases, the scammer would dress up, for example, as a police officer and video call unsuspecting victims.

While such unscrupulous tactics have yet to pick up pace in Malaysia, the authorities are on their guard and are prepared to circumvent these types of scams.

Palo Alto’s Ray says a public-private partnership is important to thwart scammers, as private companies such as Palo Alto have the intelligence while the authorities, such as the Interpol, have the power to take down and enforce the laws.

“There are times that we have also coordinated with national law enforcement agencies directly because we have a relationship with them. Once we give all the intelligence to the law enforcement agencies, it is in their hands to handle the case based on their local cyber laws,” he says.

“Some of the action may take time because there may be a need to build a case before arresting a culprit or taking them to court.”

The differences in cyber laws in each country can be a hindrance to taking down cybercriminals. Policies such as the Budapest Convention are trying to solve the complexities of global cyber law standards, but not all countries are a part of it.

Some countries’ cyber laws are mature, while others are not. In cases where the laws are not mature enough, it can result in cybercriminals slipping through the cracks. “There have been cases where we had worked with law enforcement agencies who had arrested the culprit, but because the cyber laws were not mature enough, he was let go with a warning,” Ray explains.

This is why it is important that cyber laws have to be on a par with the growing sophistication of cybercriminals. A lot of governments in this region, including Malaysia, are putting in resources to understand this.

The lack of reports of cyber breaches is also a challenge, says Ray. Most organisations do not report a cyberattack to avoid any implications or loss of goodwill and reputation. However, most mature economies have a mandate for companies to report a breach immediately.

But at the same time, companies that have already been victims of cyberattacks should not be further victimised. “If a company openly says that it has been breached, we need to celebrate that action because it is becoming a role model for the industry,” says Ray.

“It’s important for organisations to change their mindset and come forward when a breach happens. If there were more breach reporting, then there would be more understanding of what’s happening on the other side, which means that there would be better outcomes to circumvent future attacks.”

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.

      Print
      Text Size
      Share