Update: Republished on April 23 with a new report into the massive scale of organized criminal gangs now pushing these threats to your phone.
Your phone, your data and your money are at risk. There is a surge in Chinese attacks against iPhone and Android users in America and Europe, driven by sophisticated platforms designed in China and operated by organized gangs of cyber criminals. With millions of smartphones targeted, you will come under attack. And it all starts with a dangerous message on your phone, per the latest warning of one such attack.
Package delivery and unpaid toll texts have taken most of the headlines, but an even worse threat is proving a nightmare for phone users. This is where a helpful bank or technical support employee reaches out to let you know there’s a problem and to help you fix it. This could be to protect your phone or computer from an attack or to protect your money from an ongoing fraud in real time. We even now have fake police officers and federal agents contacting citizens to solicit payment to avoid arrest.
All these calls are dangerous scams. Every single one of them. As the FBI has warned, no tech support desk or bank or law enforcement official will ever reach out to you for any of these reasons. Do not take or make these calls. And if you receive a text or email that you find worrying, use publicly available channels to find a number or email address for the organization, and contact them directly.
The latest warning from the team at Cleafy is yet more of the same. The new threat is frighteningly sophisticated. “A significant new trend,” it says, “challenging traditional banking institutions, payment institutions, and card issuers [with]
the abuse of Near-Field Communication (NFC) technology.” But the basic principles are the same.
This attack starts with an urgent text or WhatsApp message “impersonating bank security alerts, notifying users of a suspicious outgoing payment. The message prompts potential victims to call a specific number to dispute the transaction.” Once you make that call, you will be tricked into checking your banking app, confirming your PIN and — here’s the novel bit — holding your bank card near your phone so the threat actors can read the details of the card using NFC and then make contactless transactions.
The threat actors, Cleafy explains, “persuade the victim to install a seemingly innocuous application. A link to this malicious app, often disguised as a security tool or a verification utility, is sent via SMS or WhatsApp. Without the victim’s knowledge, this application hides the SuperCard X malware, incorporating the NFC-relay functionality.”
Cleafy explains the manipulation of a victim comes in three parts:
- “PIN Elicitation: Exploiting the victim’s potential anxiety regarding the fraudulent transaction, the TAs convince them to ‘reset’ or ‘verify’ their card. Since victims often do not recall their PIN immediately, the attackers guide them through their mobile banking application to retrieve this sensitive information.
- Card Limit Removal: Once they have gained the victim’s trust and potentially their banking app access (through verbal guidance), the TAs instruct the victim to navigate to the card settings within their banking app and remove any existing spending limits on their debit or credit card. This crucial step maximizes the potential for fraudulent cash-out.
- Malicious Application Installation: Subsequently, the TAs persuade the victim to install a seemingly innocuous application. A link to this malicious app, often disguised as a security tool or a verification utility, is sent via SMS or WhatsApp. Without the victim’s knowledge, this application hides the SuperCard X malware, incorporating the NFC-relay functionality.”
Once your card has been read, the attackers initiate “contactless payments at POS terminals or, more alarmingly, contactless cash withdrawals at ATMs.” We have seen other NFC vulnerabilities exposed, but this remote attack combined with the surge in text scams makes this easily scaleable with no need for physical proximity to victims.
Just as with other scams — including the fake Google emails doing the rounds this week, the key isn’t to dissect the technical cleverness of the attack, albeit it is clever. The key is to ensure smartphone users know never to take or make these calls. Once a scammer has you on the phone, they have a good chance of stealing from you. This is what they do for a living, and they’re often frighteningly good at it. None of the objections you raise will be new to them, they’re well rehearsed. Don’t put yourself at risk.
Your bank will never reach out to you in this way — do not call any of those numbers if you receive any of those messages. It really is as simple as that.While the majority of scams that start with messages use SMS texts, so-called smishing, this latest attack also uses WhatsApp messages to hook victims.
WhatsApp is currently running a campaign to warn users “you always have the option to block unwanted contacts or messages. When you block a contact, you’ll stop receiving calls, messages and Status updates from that person.” The platform is also advising users that they can “also block high volumes of unknown messages,” by going to “Settings > Privacy > Advanced > Block unknown account numbers.”
What this highlights is that WhatsApp isn’t immune from such abuse, albeit it’s much rarer. As a rule, be very wary of any messages from unknown numbers unless you’re expecting the contact and know who it is. What’s also critical is not to click links or open attachments from unknown numbers.
Fortunately, “if someone who isn’t saved to your contacts sends you a link, you won’t be able to tap or click on it to open it,” WhatsApp says. “You can choose to save their phone number to your contacts if you know or trust the person. You should then be able to tap or click any links they send to open it.”
There are also protections built into group messages, given you cvan be added to a group. “When you’re added to a group with people who aren’t saved to your contacts, you’ll need to message the group to tap or click on any links.”
There was further evidence of the sheer scale of the organized criminal gangs behind scam calls on Tuesday, with a United Nations report into the “epidemic” now affecting Asia. Clearly, this continent has its own attacks and its own victims, but Asia in general has become the epicenter for those designing and developing the attacks elsewhere.
The UN’s Office on Drugs and Crime (UNODC) warned these “transnational organized crime groups in Asia which carry out these types of scams are expanding their operations deeper into the region and far beyond.”
Per The Register, “Scam call centers are metastasizing worldwide “like a cancer,” according to the UN, which warns the epidemic has reached a global inflection point as syndicates scale up and spread out. Recent crackdowns in East and Southeast Asia – where scam centers took root at industrial scale – have coincided with organized criminal groups (OCGs) shifting operations to more permissive regions.”
In December, the UN adopted a new cybercrime treaty, with its Convention against Cybercrime acknowledging “the significant risks posed by the misuse of information and communications technologies (ICT), which enable criminal activities on an unprecedented scale, speed, and scope.”
The scourge of unpaid toll messages plaguing America has its origins in China, with Chinese phishing kits and criminals driving the scam state to state. This includes the likes of Smishing Triad, which is responsible for many of the phishing kits used and which — as I reported earlier in in the month — is now turning from undelivered packages and unpaid tolls to banking, where it will mimic U.S. banks to target their customers in scams moving money to their own accounts.
SlashNext’s J Stephen Kowski told me these Chinese gangs “have evolved from targeting toll road and shipping customers to directly attacking international financial institutions, using sophisticated smishing techniques that bypass traditional security measures. These attackers are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.”
“Previous UN reports,” The Register says, “flagged growing activity in regions like South America and the Middle East. The latest update expands that scope, citing overseas crackdowns and evidence of scam operations tied to Southeast Asian crime syndicates in Africa, South Asia, select Pacific islands, and links to related criminal services—such as laundering and recruitment—as far as Europe, North America, and beyond.”
Threat Stop warns “we’ve long known that the group referred to as Smishing Triad has been operating on a massive scale, rotating thousands of malicious domains and spoofing major brands worldwide.” This follows a report from Silent Push outlining how the gang’s fake messaging now targets users in more than 120 countries and operates tens of thousands of domains, with frightening implications for what comes next.
