New Fake E-Shopping Attack Hijacking Users Banking Credentials


A fake e-shop scam campaign has been targeting Southeast Asia since 2021, as CRIL observed a surge in activity in September 2022, with the campaign expanding from Malaysia to Vietnam and Myanmar. 

The attackers use phishing websites to distribute a malicious APK (Android application package), which steals user credentials through SMS and can now also take screenshots and utilize accessibility services on the victim’s device, giving the attackers more control. 

Cybercriminals have launched a fake e-shop campaign in Malaysia since 2021 by impersonating cleaning services on social media, tricking victims into contacting them via WhatsApp. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
 TA’s sending phishing site to the victim 

It led users to download malicious APKs through phishing websites.

The malware specifically targeted login credentials for Malaysian banks, including Hong Leong, CIMB, Maybank, and others, demonstrating a growing trend of social engineering tactics combined with phishing attacks to steal banking information.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .


A fake e-shop campaign observed by Cyble has been expanding its operations across Southeast Asia, where attackers use phishing websites disguised as legitimate payment gateways to distribute malware. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
Phishing site involved in fake e-shop campaign to target Vietnam

The malware then delivers fake login pages designed to steal bank credentials; in Vietnam, the campaign targeted HD Bank customers with a website mimicking the bank’s online portal. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
phishing website used in sample targeting Myanmar 

They also used a command and control server to manage the malicious operation, as in Myanmar, the campaign used a similar tactic but targeted different banks and employed a Burmese language phishing page.  

A new wave of phishing sites targeting Malaysian online shoppers has been identified by mimicking legitimate e-commerce platforms that lack sophistication and offer only basic features and fake iOS download buttons. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
 Latest phishing site in fake e-shop campaign

The malware behind the scam has also been updated, incorporating features like screen sharing and exploiting accessibility services to steal user data.

The latest version targets 18 Malaysian banks and utilizes two URLs, one for phishing and control and another for screen sharing.  

Technical Details:

eCart malware disguises itself as a shopping app but is designed to steal user data. Upon installation, it requests accessibility permission to perform automatic clicks and gestures. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
Malware initiating screen capture feature 

It then communicates with remote servers to initiate screen sharing and send logs, utilizing the Janus plugin to control gestures and obfuscate strings with Paranoid to hinder analysis. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
Admin panel of Remote server

It attempts to replace the default SMS app and gain screen capture permissions where screen sharing wasn’t functional due to misconfiguration; its inclusion suggests the malware’s potential for more sophisticated attacks.  

The malware campaign uses fake e-shops to trick users into logging in with stolen credentials, which then presents fake products and uses a fake FPX payment page to steal banking information from 18 Malaysian banks. 

According to Cyble, the attackers have upped their game by adding screen-sharing and exploiting accessibility services, showing an effort to target a wider audience and steal more data. 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
Fake login and registration pages

They use a phishing email (T1660) containing a malicious e-shop app link (hxxps://www[.]worldshopping-global[.]com/) to gain initial access (TA0027). 

New Fake E-Shopping Attack Hijacking Users Banking Credentials
Payment methods provided by fake e-shop 

Once installed, the malware registers broadcast receivers (T1624.001) to steal incoming SMS messages (T1636.004) and inject inputs (T1516) to potentially mimic user actions.

It also captures screenshots (T1513) using a Janus WebRTC plugin, and exfiltrated data, including SMS messages, is sent to a command and control server (T1646) at hxxps://superbunapp[.]com.  

The attackers also use similar tactics with a fake trading application distributed via a different phishing website (hxxps://ecart-global[.]com). 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide



Source link