SCAMMERS are emptying the bank accounts of hapless victims who are just looking for help cleaning their houses.

Is this true?

Verdict:

TRUE

A recent exclusive by The Star shows that scammers have been gaining access to victims' bank accounts through a combination of social engineering and malware.

Victims who are looking for part-time cleaners online are being duped into downloading an app that acts as a trojan horse to steal their banking details.

The Star found a few web pages offering “discounts on cleaning services” which turned out to be nothing but a front for scammers.

Victims who contact the "service providers" after stumbling upon the sites online are sent a link with a request to install an Android package App (APK).

APKs are files used by the Android operating systems and other Android-based operating systems (such as Huawei's HarmonyOS) for the distribution and installation of mobile apps and games.

After downloading the APK, the victim essentially has installed a trojan horse on their device that gives the scammers access to certain applications on it such as the SMS service.

This enables the scammers to obtain Transaction Authorisation Code (TAC) and other information when users pay for bookings via the app, to siphon money from the victims’ bank accounts.

The fake ads are also being served on social media, one victim found out.

Muhammad Nor Izzudin Hamzah, 32, told The Star that he lost nearly RM19,000 on April 23.

"I saw an advertisement on Facebook. My mistake was installing the APK and their app. I didn’t know my username and password were stolen when I made a booking.

"The scammer’s site looked exactly like the website of the bank that I used. The APK and app that I installed had malware that enabled them to access my TAC messages.

"I only realised what had happened when I received a notification from my bank," said the insurance agent.

Police are aware of such scams and even warned the public in February that crime syndicates were using the popular messaging service WhatsApp to target the unsuspecting.

According to Federal Commercial Crime Investigation Department (CCID) director Comm Datuk Mohd Kamarudin Md Din the scammers were using the same tactic of getting victims to download malware onto their devices.

"The application will then take over the buyer’s existing SMS system, and the buyer has to register and fill in personal and banking details before they can use the application.

"After pressing the ‘send’ button, an error message will be shown as the application is not linked to any legitimate banking sites," he said in a press conference on Feb 10.

"With enough information, the scammers can transfer money from the buyer’s account without their knowledge," he added.

There are a number of things you can do to protect yourself (and your bank account) from sinister scammers and their mischievous malware.

From reports so far, the scammers are targeting Android-based phones as iOS devices do not use APKs and iPhone users can only install apps from the Apple Store.

For Android users, do not download apps from anywhere else other than Google's Play Store and make sure that the "unknown sources" setting for app downloads is turned off on your phone.

It will be turned off by default so the scammers will try to convince you to turn it on, just don't listen to them.

Reputable businesses who use apps as part of their services would distribute their app via legitimate channels, i.e the Play Store.

Don't ignore the pop-up asking you to update your device's OS, updating your phone is the best way to get the latest fixes and security patches.

Be wary of social engineering scams. They will send phony texts meant to collect personal data, and email malicious links and attachments in the hopes that they can gain access to your bank account.

Talking about bank accounts, cybercriminals are very good at spoofing banking apps and websites so make sure the app or site you are typing your username and password in is actually from your bank.

Finally, view any communications from unknown sources as suspicious. If it seems fishy, it very likely is.

References:

1. https://www.thestar.com.my/news/nation/2022/04/26/when-part-time-maids-are-just-a-decoy

2. https://www.thestar.com.my/news/nation/2022/02/11/cops-warn-public-of-new-scam-using-android-app

3. https://blog.malwarebytes.com/101/2016/09/top-10-ways-to-secure-your-mobile-phone/