Over $7,000 lost in malware attack at fake banking portal

A man doing a simple check of his firm's bank account had all its cash cleaned out by malicious software that had infected his computer.

The victim, who wants to be known only as Mr Phua, 35, runs his own business. He lost more than $7,000 within minutes, when malware in his computer redirected him to a legitimate-looking site and asked for his debit card details.

Cybersecurity analysts say malware attacks have grown more sophisticated over the years, making it difficult for users and banks to spot fraud attempts as they occur.

And they warn this latest version, which prompts online-banking users to re-enter personal information on another site, has found its way into Singapore computers.

It asks for data such as debit and credit card details as well as the three-digit security code, information which enables a third-party to gain access into one's accounts.

Mr Phua is among the victims of this new approach. He had logged into his OCBC business banking account on Aug 6, sometime after midnight, to check his firm's account balance. But after keying in his username and password, Mr Phua was redirected to another page.

There, he was asked to update his personal information, such as his full debit card details including the three-digit security code at the back of the card - which should have set off warning bells, say cybersecurity experts.

He was also prompted to request and key in a one-time password generated by his security token.

"I thought it was normal," said Mr Phua.

"When I first got my debit card I did something similar to activate the card. But this time it said it was to update my card details."

After he submitted the information, he was logged out of the system and unable to log back in. He then got a number of spam e-mails in his company account - the same e-mail tied to his bank account - and suspected that his account may have been compromised.

Mr Phua said he called the bank's 24-hour hotline but was told nothing could be done as it was after office hours, and that he would have to call the corporate hotline in the morning.

His fears came true when he went to an ATM to check the account balance and found that more than $7,000 had been transferred to an account at a different bank.

Mr Phua is likely a victim of a man-in-the-browser attack, where malware hooks into the browser and manipulates data before it is displayed to the user or sent to the network, said Mr Eugene Teo, senior manager, security response, at software security firm Symantec.

Such malicious software could have got onto the victim's computer by the user opening infected e-mail attachments.

As the malware resides in the victim's computer, it can affect any online banking portal. This is because the malware can track whatever the user is typing and it then sends information to the malware hacker, known as a "foister".

When the foister sees that the user is logging into a bank's online banking website, he can intercept the transaction and send the user to a false page, tricking him into disclosing personal information and even one-time passwords.

"Very likely the victim was indeed accessing the bank's official login portal at the beginning, but the phishing page may have directed him to a malicious website afterwards," said Mr David Siah, country general manager of security software firm Trend Micro Singapore.

More than two months later, Mr Phua still has not got his money back. He made a police report and the case is under investigation.

When contacted, OCBC's head of operational risk management Patrick Chew said: "As part of the bank's continuing efforts to educate customers about online security, notices are posted on its Internet banking login page and e-mail advisories are sent to its customers.

"We would like to reassure customers the bank's Internet banking portal remains secured."

The Association of Banks in Singapore said affected customers may recover their losses only when investigations are completed.

Banks and cybersecurity experts say consumers should keep their anti-virus software updated to minimise the risk of a malware infection.

They should be wary when asked to provide sensitive information online, especially for transactions not initiated by them, and when a one-time password is sought.



This article was first published on Oct 18, 2015.
Get a copy of The Straits Times or go to straitstimes.com for more stories.