Spotted an incredible deal on a high-capacity thumb drive on a trusted e-commerce ­website?

What seems like an impossibly fantastic steal can quickly turn into yet another case of something being “too good to be true” when the device winds up being nothing more than a cleverly ­disguised fake – especially when files go missing due to corrupted data.

A simple search for a “thumb drive” on local e-­commerce platforms and even Google brings up countless fraudulent listings for these ­storage devices, with each ­claiming a much higher storage capacity than it actually contains, at a fraction of their actual ­market price.

According to Siraj Jalil, ­president of Malaysia Cyber Consumer Association (MCCA), such counterfeits are nothing new, with them having been sold at pasar malam for ­significantly cheaper prices even before the widespread availability of online shopping.

“It’s not weird that these types of fake products are being sold through e-commerce ­platforms, because that’s the current ­scenario, where everyone is ­selling through such ­platforms,” he says.

Too good to be true

To verify that these ­suspicious listings for such USB drives were actually fake, LifestyleTech ordered one from a local e-commerce platform to test prior to the Hari Raya ­holidays.

Siraj says counterfeit pendrives are not new, with them having been sold at pasar malams before the widespread availability of online shopping. — SIRAJ JALIL

Priced at about RM15 (RM20 with shipping), the seller claims that the device has a 2TB storage capacity. For context, a 2TB thumb drive from a reputable brand costs US$179.99 (RM793), making this USB drive either an obvious scam or the deal of a lifetime.

The seller also offered thumb drives with 512GB and 1TB capacities, at just a few ringgit difference in price.

Upon testing with ValiDrive, a software tool made specifically to detect fraudulent USB drives, it was found that the thumb drive only had a validated capacity of 18.2GB, far smaller than the claimed 2TB by the seller.

The listing for this device had thousands of purchases and ­largely positive user reviews, though when sorted by one-star ­ratings, some users highlighted that the device was a counterfeit that reported an exaggerated storage capacity.

Follow-up checks in early April revealed that the listing has since been removed by the e-commerce platform and the seller has been banned, though similar listings from other sellers remain, likewise accruing thousands of sales and mostly five-star reviews.

In response to LifestyleTech, e-commerce platform Lazada said it is “committed to maintaining a safe and reliable e-commerce environment” for its customers, using “deep tech and data ­science” to detect and remove fraudulent sellers.

However the company acknowleges that “malicious agents continually evolve to bypass enforcement”, and thus urges users to report “any infringing products or ­suspicious items”.

Meanwhile, a Shopee spokesperson says the platform is ­committed to providing a safe shopping experience to its ­customers, pointing out that the platform withholds payments to sellers in escrow until buyers have acknowledged the receipt of the item in good condition.

“In addition, we require sellers to comply with local regulations and our prohibited items ­policies. Listings found to have violations of our terms of use will be removed.

“We would also like to encourage users to reach out to Shopee if they encounter similar listings on our platform,” the spokesperson adds.

Underhanded tactics

Shee Tze Jin, an expert with Taylor’s University Makerspace, says that these USB drives usually report a much higher capacity than they have in reality due to modified firmware, which rewrites older data once the real limit is reached, resulting in data loss and file corruption.

A makerspace is a collaborative space used to invent and experiment with tools and technology, commonly for prototyping electronics, building mechanical projects, 3D printing, coding, and other STEM-related work.

“Think of finding files on a drive like looking up information in a giant book. Your computer uses a table of contents (an index) to know the page number where each piece of information (your file) is stored.

Shee says it can be tricky to spot fakes, as counterfeiters often reuse genuine parts like the device housing and packaging. — IZZRAFIQ ALIAS/The Star

“What counterfeit drives do is create a fake table of contents. This fake table tells the computer the ‘book’ has thousands of pages (lots of storage space), even when it only has a few dozen real pages.

“Usually, what happens is scammers set up an online store selling very high-capacity thumb drives cheaply.

“Buyers purchase them, see the large capacity reported by their computer, and happily start using them.

“The seller then closes the online store quickly (often within weeks), making it impossible or very difficult to get a refund, especially since proving that the drive reports a fake capacity can be ­troublesome,” he says.

While Siraj says that the MCCA has not received any reports on such products lately, he believes that consumers who fall victim to such scams often forgo lodging official complaints.

“If a consumer only spends RM10 or RM20, they might not even bother trying to get their money back.

“Instead, they’ll often just buy a new one and consider the whole scenario a ­lesson to learn from,” Siraj says.

He further highlights that taking action would require ­consumers to jump through hoops, be it those present in the refund ­process on e-commerce ­platforms or perhaps even bringing the case to the Tribunal for Consumer Claims.

Digital literacy is key

“Malaysians have a very big problem right now, because we have never been educated about how to be a good ­consumer, but we think that we are.

“We learn about ethics, but we never learned about being (digitally) literate consumers,” says Siraj.

He adds that there is a constant demand for cheaper products from Malaysian consumers, which leaves them vulnerable to being duped by such counterfeits.

Siraj believes that awareness is key to ensure that consumers don’t fall victim to such fraudulent products and other potential scams.

“To begin with, these sellers are already with bad intent by selling thumb drives with fake capacities. So what’s stopping them from also planting spyware to monitor the activity on your devices?

Hackers can use USB to emulate a keyboard or an input device, Fong says, adding that hackers can program such a pendrive to automatically create malware within a computer when plugged in. — Pexels

“All it takes is one connection to your device, and you’ll be in trouble,” he says, further ­adding that there have been similar cases with USB cables at airports being hijacked by cybercriminals to install ­spyware on devices – a ­phenomenon known as “juice jacking”.

CEO and founder of cyber-­security firm LGMS Fong Choong Fook concurs, ­saying he has encountered similar cases in the past involving fake SD cards. According to him, the cybersecurity risks ­involving these ­devices are very real.

“From a cybersecurity ­standpoint, hackers can use USB drives to emulate a ­keyboard or an input device,” he says, adding that hackers can program such a thumb drive to automatically ­transfer malware to a ­computer when plugged in.

“This is a very common ­method for hackers to gain control of the ­computers.”

Shee similarly says that such malware can be used by bad actors to capture passwords and encrypt files for ­ransomware, before ­subsequently being ­ransomed for money.

Telltale signs

Shoppers who may have ­inadvertently ­purchased such products may encounter the ­telltale signs of a ­counterfeit after ­receiving their order. For instance, the device ordered by LifestyleTech for testing came in shoddy packaging.

While marked with well-known branding and labels, the plastic container it was in was secured by staples rather than being ­properly sealed like the real thing being sold by ­legitimate sellers.

The packaging also had an odd label on the back with what appears to be a product ID and QR code, which opens up a TXT file containing the same text when scanned, rather than a website or manual that a ­customer would normally expect to get with a product like this.

Fong says the cybersecurity risks involving these counterfeit devices are very real. — ART CHEN/The Star

The thumb drive itself had a recognisable logo on the outer housing, but when disassembled did not have any discernible branding on the circuit board, aside from the logo of a storage chip manufacturer on the chip.

Memory chips are a type of storage component used to retain data, commonly found in USB drives, SSDs, and storage devices. The memory chip ­manufacturer is a major ­supplier of these memory chips, providing components to a wide range of electronics ­manufacturers worldwide.

The inner case also had moulded text which reads “Tpye C”, a presumed ­misspelling of “Type-C”, further indicating that it may be a counterfeit.

Shee further explains: “The primary rule is: if the price seems too low for the ­advertised capacity, especially if the capacity is very high, there’s an extremely high chance that it’s a fake USB drive. This is because the market price for ­storage memory is ­actually quite stable.

“There’s simply no way a ­seller can ­legitimately sell you a high-capacity drive, like 1TB or 2TB, at such a low cost, for example, around RM100, when the cost of the raw storage ­components alone for 1TB is typically already over RM200,” he says.

What can be done?

From Siraj’s perspective, ­measures to prevent the sale of such fraudulent devices should come from the e-commerce platforms that host these ­listings.

“By right, the responsibility for this kind of thing should fall on the platforms, because they will receive profit out of it. In what world can you receive profit for something, but are not held responsible for what’s going on?” he asks.

Fong further calls for ­greater penalties and screening ­measures by e-commerce ­platforms on ­vendors to prevent these sorts of products from being listed in the first place.

Fong also advises adhering to the old adage of “if it seems too good to be true, it probably is”, recommending that shoppers avoid unknown sellers and be wary of items being sold for too low a price.

He does acknowledge that it can be hard to tell for an ­average consumer.

“The best in that case would be for consumers to buy from somewhere reliable or a ­recognisable website that offers better assurance that a product is legitimate,” he says.

Shee agrees that it can be tricky to spot fakes being sold online at a glance, as ­counterfeiters often reuse ­certain genuine parts like the device housing and packaging.

He further advises that ­shoppers only purchase such devices from official channels, such as authorised brand ­outlets, verified malls on e-commerce websites, and ­official stores, as untrustworthy sellers often use big brand names on online ­channels or in smaller shops to sell their fakes.

Siraj also urges consumers not to buy counterfeit products, and for those who have fallen victim to such scams to lodge reports via the proper channels to ensure that action is taken, and to raise public awareness.