Cyber criminals have been distributing malicious applications disguised as legitimate shopping apps to steal customers’ financial data belonging to eight Malaysian banks. Earlier this week on Wednesday, researchers at Slovak security firm ESET shared new research reporting three separate apps targeting Malaysian customers.
First discovered in November 2021, the malicious campaign began by distributing a fraudulent app pretending to be Maid4u, a legitimate-looking cleaning service brand. The cybercriminals responsible designed a website with an identical name -- a methodology known as typosquatting -- and attempted to trick users into downloading the malicious Maid4u app. To make the website appear legitimate, the attackers even used paid Facebook ads.
Earlier this year in January, MalwareHunterTeam found three other malicious websites employing the same technique, and the campaign is still ongoing. ESET has since spotted another four malicious websites that mimic legitimate cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia.
The malicious websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons redirect users to rogue servers under the attackers’ control. To succeed, this malicious campaign requires the intended victims to enable the non-default “Install unknown apps” option on their devices.
Subsequently, the victims are presented with payment options, such as credit cards or transferring the required amount from their bank accounts. After choosing the direct transfer option, victims are presented with a fake FPX payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.
When users submit their bank credentials, they are sent to the attacker's command-and-control (C2) server. The victim is then shown an error message.
"To make sure the threat actors can get into their victims' bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank," the ESET researcher Lukáš Štefanko explained.
"While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on," Štefanko added. "At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future."