Victim loses over $20k from credit card and bank accounts after downloading third-party app

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,124
A food delivery order that was supposed to cost $58 ended up costing Ms Lim (not her real name) over $20,000 after scammers took control of her Android phone and banking details remotely.

Ms Lim, 54, lost almost $20,500 from a credit card account and two DBS savings accounts in hours after she clicked on a link to download a third-party app, following which scammers then increased her credit limits and siphoned out all her money.

She had been looking for healthy tingkat (tiffin) meal delivery options for her elderly parents, and on July 26, she made an inquiry after seeing a Facebook ad from a company called Healthy Box.

The ad appeared to be from local caterer Grain, whom she had ordered from before. Hence, she was not suspicious.

She contacted the poster of the advertisement via Facebook messenger, after which the conversation continued on WhatsApp at around noon that day.

After the person confirmed they were from Grain, they sent her a link via WhatsApp to download an app – one that she had not used before – to make the order. She then installed the app, which she said looked exactly like the mobile-enabled version of Grain’s site.

When asked to make payment of $58 via PayNow to another number, she received a message saying that the vendor had not installed PayNow and that she could send the vendor a link to do so.

She then messaged the person to inform them that their PayNow was not working and asked them to check on it, but did not receive a reply.
Ms Lim, who works in events and marketing, went back to her online meetings. About 90 minutes later, when taking a lunch break, she noticed that her phone felt “burning hot”.
When she switched it on, the phone showed a blank screen and it had automatically performed a factory reset. Not suspecting anything, she followed the sequence to reset the phone and set it up again, as one would with a new phone.

Later that day, when she attempted to use her ATM card to withdraw money at around 6pm, she realised that her bank balance was zero.
She called the DBS customer service hotline, and an officer confirmed that $20,493.87 had been transferred out of her account.
A few days later, she went to the DBS headquarters in Marina Bay, where a customer service officer uncovered some of what had transpired.


First, the credit limit on her DBS Everyday credit card had been increased from $14,500 to $18,500. A total of $17,850 was transferred from the credit card account to her POSB Savings account. Another $1,553 was also transferred to this POSB account from a third account she owns, a DBS Savings account.

Through Internet banking, the total amount of $20,493.87 – she is unsure where the additional amount of $1090.87 came from – was then transferred from her POSB account to three different Standard Chartered accounts in the amounts of $6,281.40, $6,258.95 and $7,953.52.

“It’s very scary... how did (the scammers) manage to increase my credit limit without any verification?” asked Ms Lim, who also questioned how there were so many large transactions made without any notifications sent to her.

A week later, on Aug 2, she received a letter from DBS – dated July 26 – informing her that her request for a credit limit increase on July 26 had been approved.
She said: “I’m very shocked... when you try and increase your withdrawal or credit limit, they ask you so many questions, so why weren’t any questions asked of that person (who made all the transactions)?”.

Ms Lim made a police report on July 26. Catering company Grain also made a police report on July 27 about scammers mimicking its mobile application. Police have told The Straits Times that investigations are ongoing.

After her savings were wiped out, Ms Lim said she is unable to meet the payment deadlines set by the bank for her credit card bill.

The last message from the bank asked for an interest payment of $4,075, which has to be paid by Aug 12.

“We have nothing in the bank, we have nothing to return,” said Ms Lim as she choked up in tears.

Modus operandi of scammers​

The police said the victims fell prey to these scams after responding to advertisements on social media platforms, where scammers would instruct them to download Android Package Kit files from third-party app stores in order to make purchases.

Instead of a legitimate app, however, malware would be installed on their phones, with scammers urging the victims to enable accessibility services on their devices.

In doing so, their phones became vulnerable and this allowed scammers to take full control of the devices, including enabling them to record every keystroke and steal banking credentials stored on the phone.

The scammers could then remotely log in to victims’ banking apps, add money mules as payees, raise payment limits, and transfer money. They could also erase their tracks by deleting SMS and e-mail notifications that the banks issued.

In a joint advisory on Tuesday, the police and the Cyber Security Agency of Singapore highlighted the “increasingly sophisticated tactics” that scammers use to steal sensitive information from people’s Android devices.

They said that the openness of the Android operating platform – which allows for greater flexibility and customisation for developers and users – makes it an appealing platform for scammers.

“Users of Android devices are advised to be aware of the potential risks and to follow the best practices to safeguard their devices,” the joint statement said.

Banks stepping up security features​

Banks have also been stepping up security features, having acknowledged that scammers are deploying increasingly sophisticated tactics.

Last week, Android phone users with the OCBC digital app received a security update designed to protect customers from malware. Users who had downloaded apps from other portals instead of an official store found that they were unable to access their OCBC online banking services. They would need to delete these apps to be able to use OCBC app banking services again.

MAS explained: “Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking.”

Last week, Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore, warned that “in general, consumers who do not take the necessary precautions will be expected to bear the losses arising from malware scams”.
 
Last edited by a moderator:

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,124
IMO, the best practical protection and prevention is to have 2 phones.

One for general use and you can install anything you want.

The other is specifically for online financial use. Here, you only install banking apps and no other apps. Also, install a reputable AV with strong scam and fraud protection as well. Go online only when you need to do financial transaction otherwise turn off the phone
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,614
Banks have also been stepping up security features, having acknowledged that scammers are deploying increasingly sophisticated tactics.
Some of my banking apps notify me, if there is an app with a background monitoring access like MS Launcher and advice me not to run it. I believe something like that happened to her.
“It’s very scary... how did (the scammers) manage to increase my credit limit without any verification?”
Every customer has pre-approved limit based on his credit score, so it is like 2 clicks away and can be approved in minutes. The verification is needed only if you want go above it.
IMO, the best practical protection and prevention is to have 2 phones. One for general use and you can install anything you want. The other is specifically for online financial use.
True, but security is not really convenient. I do shopping during free time at work to save time at home, not to mention that I block Google at home, so it is easier on android. 😅
MAS explained: “Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking.”
Yeah, like when I have to allow every online card payment in the app, it is annoying as hell, but I guess it is a necessary "evil". When will Tesla finally allow us to implant those chips?!
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
IMO, the best practical protection and prevention is to have 2 phones.

One for general use and you can install anything you want.

The other is specifically for online financial use. Here, you only install banking apps and no other apps. Also, install a reputable AV with strong scam and fraud protection as well. Go online only when you need to do financial transaction otherwise turn off the phone
Not an affordable option.

There’s too much to unpack, so I’ll it is short and simple:
  • Many of best performing phones on the marketing costing more than $800.
  • Owning 2 SIM cards incur extra charges for calls/text/data allowances.
  • It’s better to not download unknown apps from unknown sources, from strangers on the Internet.
  • The dark side of Advertising = dangerous tools used by malicious actors.
 

simmerskool

Level 35
Verified
Top Poster
Well-known
Apr 16, 2017
2,457
"consumers who do not take the necessary precautions will be expected to bear the losses arising from malware scams”

What or who decides what is a "necessary precaution" :unsure: I think there's a good argument her bank or credit card company did not take the necessary precautions. She should be able to recover the funds that were stolen (at least in some or many jurisdictions) IMO fwiw... | short story, someone "scammed" $8000 USD from my brother's bank account, and he does not own a computer or a smart phone! -- the bank paid and put it back. Perhaps different facts, but... you should be "protected" from intentional acts of thieves, again IMO.
 

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,124
Not an affordable option.

There’s too much to unpack, so I’ll it is short and simple:
  • Many of best performing phones on the marketing costing more than $800.
  • Owning 2 SIM cards incur extra charges for calls/text/data allowances.
  • It’s better to not download unknown apps from unknown sources, from strangers on the Internet.
  • The dark side of Advertising = dangerous tools used by malicious actors.

If your bank account has 5, 6, 7 or more digits what's having 2 handphones and 2 SIM cards? Having 2 hps is quite common nowadays.......some even carry 3.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top